cas implementation at oakland university
TRANSCRIPT
CAS Implementation at Oakland University
Lee Foltz, Senior Identity Systems Engineer, Oakland University Brandon Powell, Java Developer Analyst, Oakland UniversityRachel Glomski, Student Java Developer, Oakland University
TopicsEnvironment configuration● The service manager● Our build process
● How we use maven filters● The awesomeness of maven overlays● How to stay up to date with new versions of
CAS● Integration with Google Apps for Education● Integration with Banner● CAS web services● Adding a custom theme to show institution's
colors
Terms to KnowCAS - Central Authentication Service
Used for single sign on environments, protects user credentialsSSO - Single Sign On
Authenticate once for access to many applicationsSAML - Security Assertion Markup Language
Used in exchanging authentication data between a user and a service
REST - Representational State Transfer Architectural style applied to web applications
Maven - Apache Maven is a software project management and comprehension tool. Based on the concept of a project object model (POM), Maven can manage a project's build, reporting and documentation
Overview Of What CAS Can Do
● A single sign on authentication service
● Can be opened up to the outside world
● Hides the directory server(LDAP, AD) from outside attackers
● Protects the users credentials; no passwords are sent to the service
Environment Configuration● CAS 3.5.2.1● RHEL5 64bit● Java 7● Maven 3● Tomcat 7
Physical Servers:2 Quad Core Xeons, 8 cores hyper threaded12GB of RAM
Load Balanced via BIG -IP F5Primary/slave configuration15 second probe before failover
CAS Service Manager
● The service manager allows CAS to be closed off● Only services we allow are granted access to
our CAS server
● The file can be edited on the fly● No need to restart CAS
● Made up of simple JSON (JavaScript Object Notation) file so it is easy to read
Service Is Allowedhttps://cas.oakland.edu/cas/login?service=https://mysail.oakland.edu/uPortal/Login
If the login credentials are correct, we will be allowed in
Build Process - Maven Filters
● Allows injection of data into the web application
● Keeps sensitive data outside the source code repository
● Only have to update information in one place
● Modify the filter data and restart Tomcat● No need to recompile
Using Maven Filters
Couple of different ways to do it
● Set properties in the .m2 folder in settings.xml
● Use a filters file● Many more
Oakland University uses the first way
Build Process - Maven Overlays
● Leave the base webapp alone-- edit files in your overlay directory
● In the pom.xml of your overlay directory, add the base webapp as a dependency:
<dependency> <groupId>edu.oakland.example</groupId> <artifactId>base-app</artifactId> <version>1.0-SNAPSHOT</version> <type>war</type> </dependency>
Example - Maven Overlays
The base application is what our overlay is built off of; we don’t change the files in the base. The base-app has already been compiled.
The overlay is where we make changes to the files. Only these files are compiled when this webapp is built. Files in the overlay will overwrite any base-app counterparts during compilation.
➝
➝
Build Process - Staying Up To Date
Edit the pom.xml and bump the version number up for cas-server-core:
The CAS Side Of Google
● We use custom code developed by Unicon to connect to Google.
● The users NetID is passed to Google
● Need to have the Google private key added to the exploded war fileFor more information go here:https://wiki.jasig.org/display/CASUM/SAML+2.0+(Google+Accounts+Integration)
*Note that CAS 4.0 works differently for Google
Integrating BannerWe use Banner Self Service version 8
There is great documentation on the Apereo Wiki
https://wiki.jasig.org/display/UPC/CASifying+Banner+Self+Serve
If you use Banner XE:CAS is supported out of the box
CAS Web ServicesFrom the Apereo wiki: Applications need to programmatically access CAS. Generally,
proxying works for this. However, there are cases where an application needs to access a resource as itself, in which case proxying doesn't make any sense.
REST is where it’s at!
Bare minimum version to support the REST API in CAS is 3.5.2
Uses For CAS Web Services
● Apps, apps, apps!
● Android and iOS applications can use CAS for authentication
● More secure and better than web scraping
● Enables a SSO environment for mobile devices
Configuration
● Need to edit the web.xml
● Requires new dependencies
● Depending on the version of CAS used, some dependencies need to be excluded.
https://wiki.jasig.org/display/casum/restful+api
Custom Themes● Maven overlays to the rescue!● In your CAS overlay go to this directory (or create it if it is not
there):● src/main/webapp/WEB-INF/view/jsp/default/ui
● Override any of these files:● https://github.com/Jasig/cas/tree/master/cas-server-webapp/
src/main/webapp/WEB-INF/view/jsp/default/ui● Add custom CSS to fit the style of your institution We only overrode three files:casLoginView.jspincludes/
top.jspbottom.jsp
Contact Information
Lee Foltz: [email protected]
Brandon Powell: [email protected]
Rachel Glomski: [email protected]