Need Help Custom authentication CAS SSO 6
88 views
Skip to first unread message
Fernando Gómez
Dec 16, 2019, 12:57:48 PM12/16/19
to CAS Community
Greetings dear community, I am writing on this occasion for need of guidance from you.
I have the following development scheme for an implementation of CAS SSO V6 for the University.
The life cycle that I must implement is as follows: The user enters his username and password, through POST the data passes to my classes that must receive the information, encode it and then send it to an external service of mine that is responsible for validating and to obtain the information of the user to my database, then my service generates a response that is returned to the CAS server, and if it is an affirmative answer, CAS allows the entry, if it is not, it rejects it.
In theory there would be no complication but, I don't get the way or the documentation or an example, how to connect CAS SSO version 6, with my services, could someone help me guide me with some example some document that I can analyze to achieve the goal? I have reviewed all of the official documentation and I do not get how to do it, I have given it many laps and invested months and nothing, so I come to you to see if someone can only guide me what route to take, or where to investigate, basically: How do I do that when the details of the CAS login form are filled in, I send that information by POST to a class of mine and that class to a service with an external URL, how do I connect CAS to my JAVA classes?
Grateful in advance.
Fernando
Ray Bon
Dec 16, 2019, 1:15:26 PM12/16/19
to cas-...@apereo.org
Fernando,
The purpose of CAS is to eliminate your application's login page.
For your application to use CAS, it needs a CAS client,
https://apereo.github.io/cas/6.1.x/integration/CAS-Clients.html
A simplified CAS login flow might be:
visit your application (cas client checks if user is logged in)
redirect to cas
enter username/password
redirect to your application with username (and optionally some other user attributes)
You want to avoid having a user's password. If it is really necessary, it can be retrieved from CAS.
Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Fernando Gómez
Dec 16, 2019, 1:41:13 PM12/16/19
to CAS Community
Hi Ray, I really appreciate you answering me; It is possible that I explained myself badly, for my implementation and for this post, I am abstracting from the client, assuming that it already exists as indeed it is. What I use for login is the CAS but what I have to solve is the authentication, that process cannot be done to CAS, I must use my external services that go against my database, the user looks for compares the user and password and it returns a result which I pass it to the CAS server, and CAS must generate the tickets to be able to enter my application that I already have, my doubts is how do I tell CAS to check my external service?
Ray Bon
Dec 16, 2019, 2:11:52 PM12/16/19
to cas-...@apereo.org
Fernando,
CAS can connect to the database for authentication,
https://apereo.github.io/cas/6.1.x/installation/Database-Authentication.html
It can also get attributes from a database,
https://apereo.github.io/cas/6.1.x/integration/Attribute-Resolution.html
which can be released to your application with SAML1.1 or CAS protocol v3,
https://apereo.github.io/cas/6.1.x/protocol/Protocol-Overview.html
You say 'What I use for login is the CAS', then you say, 'I have to solve is the authentication'. Login with CAS _is_ authentication. Do you mean authorization? That is, what actions a user might perform in your application (read data, update data etc.)?
If you are trying to restrict user access to your application, CAS can do that with attributes from the database. In the service definition, you can say a user must have this attribute and value to log in,
https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Access-Strategy.html
The roll of CAS comes first, is the user whom they claim to be? If yes, then your application has to determine what the user can do.
Just in case your application has to make calls to another application (not to a database), there is the proxy flow that CAS offers,
https://apereo.github.io/cas/6.1.x/installation/Configuring-Proxy-Authentication.html
I hope this clears things up.
Ray
Fernando Gómez
Dec 16, 2019, 2:30:09 PM12/16/19
to CAS Community
One of the big limitations that I have at the organization's policy level is that I cannot allow anything external to the organization to go against our database, due to data protection and user issues, that is why I have to service our that is implemented, tested, validated and audited, then connect CAS with our service and it will return the answer if the user can enter or not, in addition to their role, name and personal data, but in this case the only thing I owe See at this time and I think that you could guide me, it is how I delegate the authentication to a custom handler, that just when I enter my username and password I can call a class in java that is in charge of communicating with my service.
Unfortunately I have to do a very customized customization, where the CAS engine, basically is for the SSO function, to be accredited in the different domains we have.
Ray Bon
Dec 16, 2019, 2:55:54 PM12/16/19
to cas-...@apereo.org
If I understand correctly, CAS is external to your organization but associated in a way that can provide SSO.
For CAS SSO to work, it sends a cookie to the user's browser (TGC). If your application does the log in and then communicates with CAS, then there will be no cookie, and no SSO.
It sounds like you have two different user bases, one in your application's database and one for CAS.
Do you have any control of CAS and its configuration?
What happens if a user logs in to an application in a different domain and then goes to your service, will they have to log in again?
CAS offers a REST interface,
https://apereo.github.io/cas/6.1.x/protocol/REST-Protocol.html
If I am not leading you down the right path, perhaps you could draw the log in flow.
Ray
Fernando Gómez
Dec 16, 2019, 3:22:40 PM12/16/19
to CAS Community
Ray sincerely thank you very much.
Please allow me some time, which I will model well the process I explain in more detail and I explain it to you, to see if you can guide me, and indeed "What happens if a user logs in to an application in a different domain and then goes to your service, will they have to log in again? " It is one of the problems we have to solve.
I relive the subject tomorrow by modeling the entire process further
Andy Ng
Dec 16, 2019, 11:33:38 PM12/16/19
to CAS Community
Hi Fernando,
Have you look into Rest Authentication? https://apereo.github.io/cas/6.1.x/installation/Rest-Authentication.html
> encode it and then send it to an external service of mine that is responsible for validating and to obtain the information of the user to my database
What language is the external service written in? If it is PHP I got a sample for you:
otherwise you can also based on the sample to make your own external service.
Basically you want to add the following to your cas.properties / cas.yml
cas.authn.rest: uri: http://yourcompany.rest.external.server/somethingsomething
And it should do what you want to achieve.
If you decided to use rest authentication, your diagram will look something like this:
Seems like it should work.
Note: Some people using rest authentication have external service that cannot be modified, in that case you will need to heavily modified CAS, which would be another topic and might take a lot more time.
See if the above can help you...
Cheer!
- Andy
WalTech
Dec 17, 2019, 12:27:05 PM12/17/19
to CAS Community
With 6.2 (as far i have tested) you must provide a valid servicename to get a TGT. A benefit of this is that you can use the servername of the requesting server as a service name. Like "login.webserver.local". Since this name is most of the time unknown to the users you can resolve this name with your code and send it to the CAS server to get the TGT ticket.
The TGT ticketnumber is step one and is needed to do a user/pass login. (Which will create a ST service ticket)
The ST ticket is bound to the user session and can be validated (eq is not expired) every time you want.
But CAS has to be connected to the database as stated by the previous poster, otherwisethe benefit is little for using CAS.
The TGT ticketnumber is step one and is needed to do a user/pass login. (Which will create a ST service ticket)
The ST ticket is bound to the user session and can be validated (eq is not expired) every time you want.
But CAS has to be connected to the database as stated by the previous poster, otherwisethe benefit is little for using CAS.
Fernando Gómez
Dec 17, 2019, 12:39:33 PM12/17/19
to CAS Community
I am very grateful to everyone for their response, I will review everything carefully and tell them, and when I solve it, I will also write it for future help.
I will write soon
Fernando Gómez
Dec 17, 2019, 12:44:13 PM12/17/19
to CAS Community
I am looking very good, it is similar to what I should do, my service is written in .net, but it is the least, I can adapt how important is the logic.
I think what you tell me will be very helpful.
I will tell you
Reply all
Reply to author
Forward
0 new messages