CAS Implementation at Oakland University

Lee Foltz, Senior Identity Systems Engineer, Oakland University Brandon Powell, Java Developer Analyst, Oakland UniversityRachel Glomski, Student Java Developer, Oakland University

Oakland University20,000+ Active Students5,000+ Faculty & Staff

Location: Rochester Hills, MI

TopicsEnvironment configuration● The service manager● Our build process

● How we use maven filters● The awesomeness of maven overlays● How to stay up to date with new versions of

CAS● Integration with Google Apps for Education● Integration with Banner● CAS web services● Adding a custom theme to show institution's

colors

Terms to KnowCAS - Central Authentication Service

Used for single sign on environments, protects user credentialsSSO - Single Sign On

Authenticate once for access to many applicationsSAML - Security Assertion Markup Language

Used in exchanging authentication data between a user and a service

REST - Representational State Transfer Architectural style applied to web applications

Maven - Apache Maven is a software project management and comprehension tool. Based on the concept of a project object model (POM), Maven can manage a project's build, reporting and documentation

Overview Of What CAS Can Do

● A single sign on authentication service

● Can be opened up to the outside world

● Hides the directory server(LDAP, AD) from outside attackers

● Protects the users credentials; no passwords are sent to the service

Environment Configuration● CAS 3.5.2.1● RHEL5 64bit● Java 7● Maven 3● Tomcat 7

Physical Servers:2 Quad Core Xeons, 8 cores hyper threaded12GB of RAM

Load Balanced via BIG -IP F5Primary/slave configuration15 second probe before failover

Oakland University CAS

CAS Service Manager

● The service manager allows CAS to be closed off● Only services we allow are granted access to

our CAS server

● The file can be edited on the fly● No need to restart CAS

● Made up of simple JSON (JavaScript Object Notation) file so it is easy to read

CAS Service Manager Config File

Service Is Not Allowed

Service Is Allowedhttps://cas.oakland.edu/cas/login?service=https://mysail.oakland.edu/uPortal/Login

If the login credentials are correct, we will be allowed in

Build Process - Maven Filters

● Allows injection of data into the web application

● Keeps sensitive data outside the source code repository

● Only have to update information in one place

● Modify the filter data and restart Tomcat● No need to recompile

Using Maven Filters

Couple of different ways to do it

● Set properties in the .m2 folder in settings.xml

● Use a filters file● Many more

Oakland University uses the first way

Filters In .m2 Directorysettings.xml configuration

Build Process - Maven Overlays

● Leave the base webapp alone-- edit files in your overlay directory

● In the pom.xml of your overlay directory, add the base webapp as a dependency:

<dependency> <groupId>edu.oakland.example</groupId> <artifactId>base-app</artifactId> <version>1.0-SNAPSHOT</version> <type>war</type> </dependency>

Example - Maven Overlays

The base application is what our overlay is built off of; we don’t change the files in the base. The base-app has already been compiled.

The overlay is where we make changes to the files. Only these files are compiled when this webapp is built. Files in the overlay will overwrite any base-app counterparts during compilation.

➝

➝

Build Process - Staying Up To Date

Edit the pom.xml and bump the version number up for cas-server-core:

Integrating Google Apps

The CAS Side Of Google

● We use custom code developed by Unicon to connect to Google.

● The users NetID is passed to Google

● Need to have the Google private key added to the exploded war fileFor more information go here:https://wiki.jasig.org/display/CASUM/SAML+2.0+(Google+Accounts+Integration)

*Note that CAS 4.0 works differently for Google

Integrating BannerWe use Banner Self Service version 8

There is great documentation on the Apereo Wiki

https://wiki.jasig.org/display/UPC/CASifying+Banner+Self+Serve

If you use Banner XE:CAS is supported out of the box

CAS Web ServicesFrom the Apereo wiki: Applications need to programmatically access CAS. Generally,

proxying works for this. However, there are cases where an application needs to access a resource as itself, in which case proxying doesn't make any sense.

REST is where it’s at!

Bare minimum version to support the REST API in CAS is 3.5.2

Uses For CAS Web Services

● Apps, apps, apps!

● Android and iOS applications can use CAS for authentication

● More secure and better than web scraping

● Enables a SSO environment for mobile devices

Configuration

● Need to edit the web.xml

● Requires new dependencies

● Depending on the version of CAS used, some dependencies need to be excluded.

https://wiki.jasig.org/display/casum/restful+api

Dependencies To Exclude

Custom Themes● Maven overlays to the rescue!● In your CAS overlay go to this directory (or create it if it is not

there):● src/main/webapp/WEB-INF/view/jsp/default/ui

● Override any of these files:● https://github.com/Jasig/cas/tree/master/cas-server-webapp/

src/main/webapp/WEB-INF/view/jsp/default/ui● Add custom CSS to fit the style of your institution We only overrode three files:casLoginView.jspincludes/

top.jspbottom.jsp

Custom Theme vs Default Theme

Legacy Page With Improper Theme

Contact Information

Lee Foltz: foltz2@oakland.edu

Brandon Powell: bjpowel2@oakland.edu

Rachel Glomski: rrglomsk@oakland.edu

QUESTIONS?