CAS + Active Directory + Google Apps

réf : http://www.ja-sig.org/wiki/display/CASUM/SAML+2.0+%28Google+Accounts+Integration%29
       http://www.ja-sig.org/wiki/display/CASUM/Google+Apps+from+MS-AD+using+the+%27mail%27+attribute



Pour signer les assertions SAML, il faut d'abord générer une clé :
cd /usr/local/tomcat/webapps/cas/WEB-INF/classes/
openssl genrsa -out private.key 1024
openssl rsa -pubout -in private.key -out public.key -inform PEM -outform DER
openssl pkcs8 -topk8 -inform PER -outform DER -nocrypt -in private.key -out private.p8
openssl req -new -x509 -key private.key -out x509.pem -days 3650

On revient dans le répertoire d'installation initial :
cd /home/jerome/cas-toolbox-3.3.5-2/custom.iut/webpages/WEB-INF
mkdir spring-configuration
cd srping-configuration

Et on édite le fichier argumentExtractorsConfiguration.xml
nano argumentExtractorsConfiguration.xml
On ajoute trois beans et on complète la liste :
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:util="http://www.springframework.org/schema/util"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd">
        <description>
                Argument Extractors are what are used to translate HTTP requests into requests of the appropriate protocol (i.e. CAS, SAML, SAML2,
                OpenId, etc.).  By default CAS and SAML are enabled.
        </description>
        <bean
                id="casArgumentExtractor"
                class="org.jasig.cas.web.support.CasArgumentExtractor"
         p:httpClient-ref="httpClient" />

        <bean id="samlArgumentExtractor" class="org.jasig.cas.web.support.SamlArgumentExtractor"
             p:httpClient-ref="httpClient" />
        <bean name="googleAccountsArgumentExtractor" class="org.jasig.cas.web.support.GoogleAccountsArgumentExtractor"
                p:privateKey-ref="privateKeyFactoryBean"
                p:publicKey-ref="publicKeyFactoryBean" />
        <bean
                id="privateKeyFactoryBean"
                class="org.jasig.cas.util.PrivateKeyFactoryBean"
                p:location="classpath:private.p8"
                p:algorithm="RSA" />

        <bean
                id="publicKeyFactoryBean"
                class="org.jasig.cas.util.PublicKeyFactoryBean"
                p:location="classpath:public.key"
                p:algorithm="RSA" />

        <util:list id="argumentExtractors">
                <ref bean="casArgumentExtractor" />
                <ref bean="samlArgumentExtractor" />
                <ref bean="googleAccountsArgumentExtractor" />
        </util:list>
</beans>

Et on redéploie
/etc/init.d/tomcat stop
ant init
ant deploy
/etc/init.d/tomcat start

Authentification avec l'adresse e-mail du compte AD


L'idée est d'utiliser l'attribut 'mail' de l'entrée Active Directory d'un utilisateur pour l'authentifier sur les Google Apps. L'intérêt est le suivant :
  • le compte Google Apps peut être différent du sAMAccountName (compte windows).
  • le compte Google Apps peut être différent du UserPrincipalName, c'est à dire qu'on peut utiliser deux domaines différents, ex : UPN = toto@domaineAD et mail = toto@mondomaine.fr.

Pour authentifier sur le mail on ajoute :
                <entry key="mail" value="EmailAddress" />

dans le /usr/local/tomcat/webapps/cas/WEB-INF/deployerConfigContext.xml
ce qui donne un bean comme ceci à la fin :
  
  <bean id="attributeRepository"
        class="org.jasig.services.persondir.support.StubPersonAttributeDao">
        <property name="backingMap">
            <map>
                <entry key="uid" value="uid" />
                <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
                <entry key="groupMembership" value="groupMembership" />
                <entry key="mail" value="EmailAddress" />
            </map>
        </property>
    </bean>

Et on modifie le flitre de recherche dans ~/cas-toolbox-3.3.5-2/custom.iut/webpages/WEB-INF/auth-configuration/ldap-auth.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
        | deployerConfigContext.xml centralizes into one file some of the declarative configuration that
        | all CAS deployers will need to modify.
        |
        | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.
        | The beans declared in this file are instantiated at context initialization time by the Spring
        | ContextLoaderListener declared in web.xml.  It finds this file because this
        | file is among those declared in the context parameter "contextConfigLocation".
        |
        | By far the most common change you will need to make in this file is to change the last bean
        | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with
        | one implementing your approach for authenticating usernames and passwords.
        +-->
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

        <!--
                |    LDAP authentication.
        +-->
        <bean id="ldapHandler" class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
                <property name="filter" value="mail=%u@mondomaine.fr" />
                <property name="searchBase" value="${ldap.basedn}" />
                <property name="ignorePartialResultException" value="yes" />
                <property name="contextSource">
                        <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
                                <property name="anonymousReadOnly" value="false" />
                                <property name="userDn" value="CN=ldapview,CN=Users,DC=dometud,DC=iut-rodez,DC=local" />
                                <property name="password" value="Maude Passe" />
                                <property name="pooled" value="true" />
                                <property name="urls">
                                        <list>
                                                <value>${ldap.host.1}</value>
                                        </list>
                                </property>
                                <property name="baseEnvironmentProperties">
                                        <map>
                                                <!--
                                                <entry>
                                                    <key><value>java.naming.security.protocol</value></key>
                                                <value>ssl</value>
                                        </entry>
                                        -->
                                                <entry>
                                                        <key><value>java.naming.security.authentication</value></key>
                                                        <value>simple</value>
                                                </entry>
                                        </map>
                                </property>
                        </bean>
                </property>
        </bean>
</beans>

Avec le filtre de recherche placé à la valeur mail=%u@mondomaine.fr , il suffit de saisir dans le formulaire web de login de CAS la partie à gauche du @mondomaine.fr du mail de l'utilisateur pour s'authentifier. Ex : jerome.bousquie suffit pour être complété en jerome.bousquie@mondomaine.fr.

Pour déployer cette solution :
/etc/init.d/tomcat stop
cd ~/cas-toolbox-3.3.5-2
ant init
ant deploy
/etc/init.d/tomcat start
Comments