Depending on your organization infrastructure, user information (basically username and password) can be stored in an independent datastore. When a user logs in eXo Platform that delegates to CAS, CAS in its turn calls the service of datastore to validate the login. If you store user information in eXo Platform, you need to configure CAS to call back the eXo Platform service to validate a login. In this case (called "callback"), eXo provides solution for user information store - an Authentication plugin named org.gatein.sso.opensso.plugin.AuthenticationPlugin that can be set on the CAS server. This plugin makes secure authentication callbacks to a RESTful service installed on the remote eXo Platform server to authenticate a user. Meanwhile, if you store user information in another external datastore rather than eXo Platform (called non-callback), you do not need to install this Authentication plugin. Instead, you need to have another Authentication plugin that is compatible with your datastore.
On the CAS server side, the following packages are required:
$CAS_HOME
:
The CAS package that you may download from https://www.apereo.org/cas/download.
For eXo Platform integration, eXo Platform supports CAS 3.5 and CAS 4.0.
This documentation is based on testing results of CAS 3.5.2 and CAS 4.0.0 integration.
However, the integration can still work with all versions.
The downloaded CAS release is a Maven-based project source (CAS does not release binaries officially), so you need to build the project by yourself. To complete these instructions, and perform the final build step, you need Apache Maven 3. You can get it here.
$CAS_TOMCAT_HOME
:
A Servlet container on which CAS server will be deployed.
In this tutorial, it is a Tomcat 7 package.
Go to $CAS_HOME/cas-server-webapp
and execute the command: mvn clean install -Dmaven.test.skip=true.
For CAS 4.0.0, you need to edit its $CAS_HOME/pom.xml
file by replacing:
<header>${cs.dir}/src/licensing/header.txt</header>
with
<header>${licenseHeader}</header>
Deploy CAS to Tomcat by copying $CAS_HOME/cas-server-webapp/target/cas.war
into $CAS_TOMCAT_HOME/webapps
.
Change the default port to avoid conflicts with the default eXo Platform (for testing purposes)
by replacing the 8080 port with 8888 in $CAS_TOMCAT_HOME/conf/server.xml
.
If eXo Platform is running on the same machine as Tomcat, other ports need to be changed to avoid port conflicts. They can be changed to any free port. For example, you can change the admin port from 8005 to 8805, and the AJP port from 8009 to 8809.
Start the CAS Tomcat server
($CAS_TOMCAT_HOME\bin\startup.bat
for Windows, or $CAS_TOMCAT_HOME/bin/startup.sh
for Linux/OS X).
At this stage, the CAS Tomcat is accessible at http://localhost:8888/cas, but unavailable for login.
After deploying CAS, you need to properly configure the CAS server. The configuration will be different between callback and non-callback cases. In paticular:
If you store users in eXo Platform, see Authentication plugin setup.
If you store users in another datasource (such as LDAP), you need to have an Authentication plugin that is compatible with your datasource. For CAS 3.5 and CAS 4.0 integration, see here for specific cases.
The below procedure is for callback to eXo Platform server only. If it is not your case, bypass this.
Go to $PLATFORM_HOME
, and install CAS add-on with the command: addon install exo-cas.
After successful installation, one zip folder named cas-plugin.zip
is generated at the root of $PLATFORM_HOME
.
Extract cas-plugin.zip
, then copy and merge its extracted .jar
files into $CAS_TOMCAT_HOME/webapps/cas/WEB-INF/lib/
.
Open $CAS_TOMCAT_HOME/webapps/cas/WEB-INF/deployerConfigContext.xml
to modify.
If you are using CAS 3.5.x, replace:
<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
with the following (make sure you have set the host, port and context with the values corresponding to your portal).
<bean class="org.gatein.sso.cas.plugin.AuthenticationPlugin">
<property name="gateInProtocol"><value>http</value></property>
<property name="gateInHost"><value>localhost</value></property>
<property name="gateInPort"><value>8080</value></property>
<property name="gateInContext"><value>portal</value></property>
<property name="httpMethod"><value>POST</value></property>
</bean>
Or, if you are using CAS 4.0.0, find:
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
<property name="users">
<map>
<entry key="casuser" value="Mellon"/>
</map>
</property>
</bean>
and replace with:
<bean id="primaryAuthenticationHandler" class="org.gatein.sso.cas.plugin.CAS40AuthenticationPlugin">
<property name="gateInProtocol"><value>http</value></property>
<property name="gateInHost"><value>localhost</value></property>
<property name="gateInPort"><value>8080</value></property>
<property name="gateInContext"><value>portal</value></property>
<property name="httpMethod"><value>POST</value></property>
</bean>
Now, you can move to the next section to configure the eXo Platform server.