Potential new way to integrate CAS with Grouper
https://github.com/apereo/java-cas-client
The context definition for Tomcat looks like this:
<Context docBase="/ucd/opt/grouper-ui/dist/grouper" path="/grouper" reloadable="false" mapperContextRootRedirectEnabled="true" mapperDirectoryRedirectEnabled="true"> <Realm className="org.jasig.cas.client.tomcat.v7.PropertiesCasRealm" propertiesFilePath="/etc/tomcat/grouper-users.properties" /> <!-- If you do not need to map users to roles via a grouper-users.properties file use this. <Realm className="org.jasig.cas.client.tomcat.v7.AssertionCasRealm" /> --> <Valve className="org.jasig.cas.client.tomcat.v7.Cas20CasAuthenticator" encoding="UTF-8" casServerLoginUrl="https://CAS_SERVER/cas/login" casServerUrlPrefix="https://CAS_SERVER/cas/" serverName="GROUPER_SERVER" /> <!-- Single sign-out support --> <Valve className="org.jasig.cas.client.tomcat.v7.SingleSignOutValve" artifactParameterName="SAMLart" /> </Context>
You dont need to alter anything in the Grouper UI itself, just need to make sure that the logged in user is searchable by a source.
Previous way to integrate CAS with Grouper
The yale-cas-auth java jar file is included with the installation of the Grouper UI. There are a few steps we needed to implement it:
Configuration Steps to enable CAS Authentication
Add the cas authentication piece to the build.xml file in the Grouper UI home/build folder: /deploy/AppServers/grouper-ui folder:
/deploy/AppServers/grouper-ui/build.xml<ant antfile="build.xml" target="webapp" dir="${contrib.dir}/yale-cas-auth" inheritrefs="true" />
It should go just below the following section in the build.xml file:
<!-- Call any site specific build script. This may be used to introduce site specific Struts action, local Subject implementations etc --> <antcall target="-additional-build"> <param name="target" value="webapp"/> <reference refid="ui.class.path.for.run"/> </antcall>
Implementer note: There are several -additional-build sections. Ensure you find the one that has a target with a value of "webapp".
Modify the following 3 lines in the build.properties file that is in the yale-cas-auth folder -- enter proper URLs for your organization:
/deploy/AppServers/grouper-ui/contrib/yale-cas-auth/build.properties#Grouper CAS Integration for CalPoly sso.login.url=https://mydev.YourCampus.edu/cas/login sso.validate.url=https://mydev.YourCampus.edu:443/cas/serviceValidate grouper.server.name=s-grouper.its.YourCampus.edu
Modify the struts-config.xml file to skip the login prompt by changing the callLogin path to home.do instead of login.do:
/deploy/AppServers/grouper-ui/webapp/WEB-INF/struts-config.xml<forward name="callLogin" path="/home.do" redirect="true"/>
Ensure the REMOTE_USER value that is returned from CAS is configured as one of the subject identifiers in the sources.xml:
/deploy/AppServers/grouper/conf/sources.xml<init-param> <!-- col which identifies the row, perhaps not subjectId --> <param-name>subjectIdentifierCol0</param-name> <param-value>SUBJECT_NAME</param-value> </init-param>
This is based on using the GrouperJdbcSourceAdapter2 source adapter type
- Ensure the grouper URL has been added to the CAS Services Registry.
Deployment Steps
From the /deploy/AppServers/grouper-ui directory, create a new war file:
ant war
Remove the grouper directory in the $TOMCAT_HOME/webapps folder:
cd /deploy/AppServers/tomcat/webapps rm -rf grouper
Copy the new war file to the webapps directory (overwrite existing grouper.war file):
cp /deploy/AppServers/grouper-ui/dist/grouper.war .
- Stop and restart Tomcat.
Troubleshoot
See debug information in logs in log4j.properties
log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG