réf : http://www.ja-sig.org/wiki/display/CASUM/SAML+2.0+%28Google+Accounts+Integration%29 http://www.ja-sig.org/wiki/display/CASUM/Google+Apps+from+MS-AD+using+the+%27mail%27+attribute Pour signer les assertions SAML, il faut d'abord générer une clé : cd /usr/local/tomcat/webapps/cas/WEB-INF/classes/ openssl genrsa -out private.key 1024 openssl rsa -pubout -in private.key -out public.key -inform PEM -outform DER openssl pkcs8 -topk8 -inform PER -outform DER -nocrypt -in private.key -out private.p8 openssl req -new -x509 -key private.key -out x509.pem -days 3650 On revient dans le répertoire d'installation initial : cd /home/jerome/cas-toolbox-3.3.5-2/custom.iut/webpages/WEB-INF mkdir spring-configuration Et on édite le fichier argumentExtractorsConfiguration.xml nano argumentExtractorsConfiguration.xml <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd"> <description>
Argument Extractors are what are used to translate HTTP requests into
requests of the appropriate protocol (i.e. CAS, SAML, SAML2, OpenId, etc.). By default CAS and SAML are enabled. </description> <bean id="casArgumentExtractor" class="org.jasig.cas.web.support.CasArgumentExtractor" p:httpClient-ref="httpClient" /> <bean id="samlArgumentExtractor" class="org.jasig.cas.web.support.SamlArgumentExtractor" p:httpClient-ref="httpClient" /> <bean name="googleAccountsArgumentExtractor" class="org.jasig.cas.web.support.GoogleAccountsArgumentExtractor" p:privateKey-ref="privateKeyFactoryBean" p:publicKey-ref="publicKeyFactoryBean" /> <bean id="privateKeyFactoryBean" class="org.jasig.cas.util.PrivateKeyFactoryBean" p:location="classpath:private.p8" p:algorithm="RSA" /> <bean id="publicKeyFactoryBean" class="org.jasig.cas.util.PublicKeyFactoryBean" p:location="classpath:public.key" p:algorithm="RSA" /> <util:list id="argumentExtractors"> <ref bean="casArgumentExtractor" /> <ref bean="samlArgumentExtractor" /> <ref bean="googleAccountsArgumentExtractor" /> </util:list> </beans> Et on redéploie /etc/init.d/tomcat stop ant init ant deploy /etc/init.d/tomcat start Authentification avec l'adresse e-mail du compte ADL'idée est d'utiliser l'attribut 'mail' de l'entrée Active Directory d'un utilisateur pour l'authentifier sur les Google Apps. L'intérêt est le suivant :
Pour authentifier sur le mail on ajoute : <entry key="mail" value="EmailAddress" /> dans le /usr/local/tomcat/webapps/cas/WEB-INF/deployerConfigContext.xml ce qui donne un bean comme ceci à la fin : <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"> <property name="backingMap"> <map> <entry key="uid" value="uid" /> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> <entry key="mail" value="EmailAddress" /> </map> </property> </bean> Et on modifie le flitre de recherche dans ~/cas-toolbox-3.3.5-2/custom.iut/webpages/WEB-INF/auth-configuration/ldap-auth.xml <?xml version="1.0" encoding="UTF-8"?> <!-- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that | all CAS deployers will need to modify. | | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml. It finds this file because this | file is among those declared in the context parameter "contextConfigLocation". | | By far the most common change you will need to make in this file is to change the last bean | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with | one implementing your approach for authenticating usernames and passwords. +--> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd"> <!-- | LDAP authentication. +--> <bean id="ldapHandler" class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="mail=%u@mondomaine.fr" /> <property name="searchBase" value="${ldap.basedn}" /> <property name="ignorePartialResultException" value="yes" /> <property name="contextSource"> <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="anonymousReadOnly" value="false" /> <property name="userDn" value="CN=ldapview,CN=Users,DC=dometud,DC=iut-rodez,DC=local" /> <property name="password" value="Maude Passe" /> <property name="pooled" value="true" /> <property name="urls"> <list> <value>${ldap.host.1}</value> </list> </property> <property name="baseEnvironmentProperties"> <map> <!-- <entry>
<key><value>java.naming.security.protocol</value></key> <value>ssl</value> </entry> --> <entry>
<key><value>java.naming.security.authentication</value></key> <value>simple</value> </entry> </map> </property> </bean> </property> </bean> </beans> Avec le filtre de recherche placé à la valeur mail=%u@mondomaine.fr ,
il suffit de saisir dans le formulaire web de login de CAS la partie à
gauche du @mondomaine.fr du mail de l'utilisateur pour s'authentifier.
Ex : jerome.bousquie suffit pour être complété en
jerome.bousquie@mondomaine.fr.Pour déployer cette solution : /etc/init.d/tomcat stop cd ~/cas-toolbox-3.3.5-2 ant init ant deploy /etc/init.d/tomcat start |