Liferay CAS Integration

CAS Introdution:

CAS is an enterprise SSO solution for web or enterprise applications for single sign-in access. . User tries to access application to login and then it will redirect to CAS to perform authentication. CAS validates user credentials with LDAP or Database and issues security token to application for valid credentials. Application again validates token with CAS server  and gets required user information as CAS Attributes such as Email, userId in the header.

CAS will use LDAP to authenticate user,  apparently  Liferay must  be  configured to same LDAP directory to import users. This tutorials covers below:

  •    CAS Server configuration with LDAP
  •    Liferay Integration with OpenLDAP
  •    Liferay integration with CAS

 LDAP Setup:

We use OpenDJ LDAP for this tutorial. Download OpenDJ (http://forgerock.org/downloads/opendj-archive) and configured users with password “test” as shown in the diagram:

LDAP

 CAS Server setup

  • We use local liferay tomcat server instance to install CAS application. Tomcat shoudl be configured to HTTPS to install CAS, but this tutorials doesn’t coverts that part. We can ignore HTTPs warning on CAS.
  •  Download CAS Server3.5.2 release file from https://www.apereo.org/cas/download and extract to local.
  • Go to cas-server-3.5.2\modules folder and rename the cas-server-webapp.war  file  to  cas-webapp.war
  •  Copy the cas-webapp.war to liferay-portal-6.2-ee-sp5\tomcat-7.0.42\webapps  and start the server. (Remove war file once it deployed). Tomcat should be configured to support HTTPs in production.
  • CAS application by default uses SimpleTestUsernamePasswordAuthenticationHandler which authenticates UsernamePasswordCredentials where the username equals the password.
  • Open the URL in browser http://localhost:9080/cas-webapp/login
  • a.       UserName  : test@liferay.com
  • b.      Password: test@liferay.com

You should be able to see success message. I configured my tomcat port to 9080.

Configure CAS to LDAP:

  • Stop the server and edit the  file  tomcat-7.0.42\webapps\cas-webapp\WEB-INF\deployerConfigContext.xml  file  and add below bean at end of the file
  • <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">                     
        <property name="pooled" value="false"/>
        <property name="url" value="ldap://localhost:389" />
        <property name="userDn" value="cn=admin,ou=People,dc=igate1,dc=com"/>
        <property name="password" value="test"/>
        <property name="baseEnvironmentProperties">
          <map>
               <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
                <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
                <entry key="java.naming.security.authentication" value="simple" />
         </map>
             </property>
    </bean>
  • Add the BindLdapAuthenticationHandler to authenticationManager  to perform authentication with LDAP. Reemove the bean  SimpleTestUsernamePasswordAuthenticationHandler from property authenticationHandlers.
  • <bean  class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
  • Update the authenticationHandlers property with  BindLdapAuthenticationHandler
  • <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
            p:filter="mail=%u"
            p:searchBase="ou=People,dc=igate1,dc=com"
              p:contextSource-ref="contextSource" />
  •   Copy the LDAP dependency  jars to tomcat-7.0.42\webapps\cas-webapp\WEB-INF\lib folder
  • spring-ldap-core-1.3.0.RELEASE  (find this is \tomcat-.0.42\webapps\ROOT\WEB-INF\lib)
  • spring-ldap-core-tiger-1.3.0.RELEASE ((find this is \tomcat-.0.42\webapps\ROOT\WEB-INF\lib)
  • cas-server-support-ldap-3.5.2 (you can find this in \cas-server-3.5.2\modules)

CAS is configured with LDAP, Test the CAS login by providing sample LDAP user credentials.CAS_LOGIN

Configure Liferay with LDAP and CAS:

Liferay has in built integration with CAS and LDAP, so copy the below CAS, LDAP properties to portal-ext.properties file and restart the server. Make sure that test@liferay.com user is created in LDAP.  LDAP import should be enable to import the users from LDAP to Liferay

1.CAS portal-ext properties

cas.auth.enabled=true
cas.import.from.ldap=true
cas.login.url=http://localhost:9080/cas-webapp/login
cas.logout.url=http://localhost:9080/cas-webapp/logout
cas.server.url=http://localhost:9080/cas-webapp
cas.server.name=http://localhost:9080
com.liferay.portal.servlet.filters.sso.cas.CASFilter=true
auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin

2.LDAP portal-ext propertis:

These properties also inlcudes   Reminder questiosn, terms of agreement and Password update properties which are set to false.
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.base.provider.url=ldap://localhost:389
ldap.base.dn=ou=People,dc=igate1,dc=com
ldap.security.principal=cn=admin,ou=People,dc=igate1,dc=com
ldap.security.credentials=test

ldap.auth.enabled=true
ldap.auth.method=bind
ldap.auth.search.filter=(mail=@email_address@)
ldap.user.default.object.classes=top,person,inetOrgPerson,organizationalPerson

ldap.user.mappings=uuid=uuid\nscreenName=givenName\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=groupMembership

ldap.group.default.object.classes=top,groupOfUniqueNames
ldap.group.mappings=groupName=cn\ndescription=description\nuser=uniqueMember
ldap.import.enabled=true
ldap.import.on.startup=true
ldap.import.interval=10
ldap.import.user.search.filter=(objectClass=inetOrgPerson)
ldap.import.group.search.filter=(objectClass=groupOfUniqueNames)
ldap.import.method=user

#ldap.import.method=group
ldap.import.create.role.per.group=true
ldap.export.enabled=false
ldap.users.dn=ou=People,dc=igate1,dc=com
ldap.groups.dn=ou=groups,dc=igate1,dc=com
ldap.password.policy.enabled=false

ldap.error.password.age=age
ldap.error.password.expired=expired
ldap.error.password.history=history
ldap.error.password.not.changeable=not allowed to change
ldap.error.password.syntax=syntax
ldap.error.password.trivial=trivial
ldap.error.user.lockout=retry limit

passwords.default.policy.change.required=false
terms.of.use.required = false
user.groups.name.allow.numeric=true
default.landing.page.path=/user/${liferay:screenName}/home
users.reminder.queries.enabled=false
  • Open Liferay and click on top  Sign-inSIGN_IN
  • You should be able redirect to CAS application page.

CAS_CRE

  • Give test@liferay.com/test and click on login, ensure that you provide the LDAP user credentials, now you are now able to redirect to liferay user home page. Click on logut and then you will again redirect to CAS signout.

CAS_LOGOUT

  • You can observe the console to see the CAS message.
WHO: test@liferay.com
WHAT: ST-3-RMypRPMDKO0MgMfkIi1C-cas01.example.org for http://localhost:9080/c/portal/login?p_l_id=10185
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Oct 22 10:39:36 GMT 2014
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
WHO: audit:unknown
WHAT: ST-3-RMypRPMDKO0MgMfkIi1C-cas01.example.org
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Wed Oct 22 10:39:36 GMT 2014
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

2 Comments

  1. Juan

    Thanks for posting detailed tutoria

    Reply
  2. Ramesh

    it is mandatory to provide LDAP details in CAS?? can we skip that authentication

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *