Potential new way to integrate CAS with Grouper
https://github.com/apereo/java-cas-client
The context definition in server.xml for Tomcat looks like this:
<Context docBase="/ucd/opt/grouper-ui/dist/grouper" path="/grouper" reloadable="false" mapperContextRootRedirectEnabled="true" mapperDirectoryRedirectEnabled="true"> <Realm className="org.jasig.cas.client.tomcat.v7.PropertiesCasRealm" propertiesFilePath="/etc/tomcat/grouper-users.properties" /> <!-- If you do not need to map users to roles via a grouper-users.properties file use this. <Realm className="org.jasig.cas.client.tomcat.v7.AssertionCasRealm" /> --> <Valve className="org.jasig.cas.client.tomcat.v7.Cas20CasAuthenticator" encoding="UTF-8" casServerLoginUrl="https://CAS_SERVER/cas/login" casServerUrlPrefix="https://CAS_SERVER/cas/" serverName="GROUPER_SERVER" /> <!-- Single sign-out support --> <Valve className="org.jasig.cas.client.tomcat.v7.SingleSignOutValve" artifactParameterName="SAMLart" /> </Context>
- You dont need to alter anything in the Grouper UI itself, just need to make sure that the logged in user is searchable by a source.
- For Tomcat 8.0.x, change the package names to "v8" instead. (Note: Tomcat 8.5.x at this point is not supported and requires mod to the CAS client given API incompatibilities between 8.0.x and 8.5.x)
Previous way to integrate CAS with Grouper
The yale-cas-auth java jar file is included with the installation of the Grouper UI. There are a few steps we needed to implement it:
Configuration Steps to enable CAS Authentication
Add the cas authentication piece to the build.xml file in the Grouper UI home/build folder: /deploy/AppServers/grouper-ui folder:
/deploy/AppServers/grouper-ui/build.xml<ant antfile="build.xml" target="webapp" dir="${contrib.dir}/yale-cas-auth" inheritrefs="true" />
It should go just below the following section in the build.xml file:
<!-- Call any site specific build script. This may be used to introduce site specific Struts action, local Subject implementations etc --> <antcall target="-additional-build"> <param name="target" value="webapp"/> <reference refid="ui.class.path.for.run"/> </antcall>
Implementer note: There are several -additional-build sections. Ensure you find the one that has a target with a value of "webapp".
Modify the following 3 lines in the build.properties file that is in the yale-cas-auth folder -- enter proper URLs for your organization:
/deploy/AppServers/grouper-ui/contrib/yale-cas-auth/build.properties#Grouper CAS Integration for CalPoly sso.login.url=https://mydev.YourCampus.edu/cas/login sso.validate.url=https://mydev.YourCampus.edu:443/cas/serviceValidate grouper.server.name=s-grouper.its.YourCampus.edu
Modify the struts-config.xml file to skip the login prompt by changing the callLogin path to home.do instead of login.do:
/deploy/AppServers/grouper-ui/webapp/WEB-INF/struts-config.xml<forward name="callLogin" path="/home.do" redirect="true"/>
Ensure the REMOTE_USER value that is returned from CAS is configured as one of the subject identifiers in the sources.xml:
/deploy/AppServers/grouper/conf/sources.xml<init-param> <!-- col which identifies the row, perhaps not subjectId --> <param-name>subjectIdentifierCol0</param-name> <param-value>SUBJECT_NAME</param-value> </init-param>
This is based on using the GrouperJdbcSourceAdapter2 source adapter type
- Ensure the grouper URL has been added to the CAS Services Registry.
Deployment Steps
From the /deploy/AppServers/grouper-ui directory, create a new war file:
ant war
Remove the grouper directory in the $TOMCAT_HOME/webapps folder:
cd /deploy/AppServers/tomcat/webapps rm -rf grouper
Copy the new war file to the webapps directory (overwrite existing grouper.war file):
cp /deploy/AppServers/grouper-ui/dist/grouper.war .
- Stop and restart Tomcat.
Troubleshoot
See debug information in logs in log4j.properties
log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG