Help Connecting Initial Pieces (Shiro, Grails and CAS)
54 views
Skip to first unread message
John Rellis
May 20, 2016, 9:49:05 AM5/20/16
to CAS Community
Hey folks,
Apologies for the broad scope of this post. I've been reading the docs and although I can see each individual piece I am having trouble deciphering how these pieces fit together for my use case.
Right now, I have 4 grails applications that have 4 different databases containing user information. The applications currently use Shiro to authenticate users. The goal is to implement single sign on in these applications.
I have cloned the cas-overlay-template project, created the war and launched it in tomcat and can login using the default user and I'm really at a "now what?" scenario. I have also included the shiro-cas dependency in the current projects and read this doc.
This is what I see as our potential process flow, can someone please correct me if I am going wrong with my understanding of how all this works and help with some of the questions too, that would be amazing!
- User hits one of our four applications and is not logged in
- Do each of these applications need to be configured as services on the CAS server?
- User is redirected to CAS
- this is done through the configuration of shiro as far as I can tell
- User enters their login details into CAS
- where are these details matched against? Can they be matched against the already existing applications or do I need to create a new database/service to authenticate against?
- User is logged into one application
- User hits application 2 where they are not logged in, they are redirected to CAS, a ticket exists for their login and they are allowed into application two
My current understanding is that each application needs to be service and a ticket is generated at the first login that is stored as a cookie and this ticket is used to allow access to other applications, is this correct?
Thank you in advance!!!!!
John
Waldbieser, Carl
May 20, 2016, 10:21:03 AM5/20/16
to John Rellis, CAS Community
John,
The way it works is that you configure some backend for CAS to authenticate credentials against.
There is a lot of flexibility, but in *typical* scenarios, credentials are username/password, and the backend would be LDAP/Active Directory or some kind of RDBMS.
The way authentication works with your apps is that you configure CAS to whitelist your services by means of a service registry (which is basically just a list or URL patterns it will accept). You then configure each of your applications to trust CAS authentication by installing a CAS client and pointing it to your CAS service.
When a user tries to log into one of your apps, if they have no existing application session, they are redirected to the CAS service with an querystring parameter "service" that points back to a URL on your app. CAS checks that this URL is whitelisted, and if it is, it checks to see if you have an existing Single Sign On (SSO) session. If not, it forces you to authenticate, and if successful, it establishes a SSO session for you. Once you have an SSO session, CAS redirects you to the "service" URL, with a querystring parameter "ticket" that includes a long random string called a service ticket (ST). The STs only last for a short time (think ~30 seconds). Your app can take the ST and make a server-to-server connection to CAS and ask "is this ST valid?". If it is, CAS says "yes, here is the user ID of the user it belongs to". If you configure CAS to release attributes to a service, those are also provided in the response.
That's the whole thing in a nutshell. You SSO session will eventually expire after some time you set (think hours or days). You can also explicitly log out of CAS to end the SSO session.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
----- Original Message -----
From: "John Rellis" <john.d...@gmail.com>
To: "CAS Community" <cas-...@apereo.org>
Sent: Friday, May 20, 2016 9:49:05 AM
Subject: [cas-user] Help Connecting Initial Pieces (Shiro, Grails and CAS)
Hey folks,
Apologies for the broad scope of this post. I've been reading the docs
<https://apereo.github.io/cas/4.2.x/index.html> and although I can see each
.
This is what I see as our potential process flow, can someone please
correct me if I am going wrong with my understanding of how all this works
and help with some of the questions too, that would be amazing!
1. User hits one of our four applications and is not logged in
1. Do each of these applications need to be configured as services on
the CAS server?
2. User is redirected to CAS
1. this is done through the configuration of shiro as far as I can
tell
3. User enters their login details into CAS
1. where are these details matched against? Can they be matched
5. User hits application 2 where they are not logged in, they are
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0892c0a-2e13-49ef-8d90-44aac2ecadc5%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
The way it works is that you configure some backend for CAS to authenticate credentials against.
There is a lot of flexibility, but in *typical* scenarios, credentials are username/password, and the backend would be LDAP/Active Directory or some kind of RDBMS.
The way authentication works with your apps is that you configure CAS to whitelist your services by means of a service registry (which is basically just a list or URL patterns it will accept). You then configure each of your applications to trust CAS authentication by installing a CAS client and pointing it to your CAS service.
When a user tries to log into one of your apps, if they have no existing application session, they are redirected to the CAS service with an querystring parameter "service" that points back to a URL on your app. CAS checks that this URL is whitelisted, and if it is, it checks to see if you have an existing Single Sign On (SSO) session. If not, it forces you to authenticate, and if successful, it establishes a SSO session for you. Once you have an SSO session, CAS redirects you to the "service" URL, with a querystring parameter "ticket" that includes a long random string called a service ticket (ST). The STs only last for a short time (think ~30 seconds). Your app can take the ST and make a server-to-server connection to CAS and ask "is this ST valid?". If it is, CAS says "yes, here is the user ID of the user it belongs to". If you configure CAS to release attributes to a service, those are also provided in the response.
That's the whole thing in a nutshell. You SSO session will eventually expire after some time you set (think hours or days). You can also explicitly log out of CAS to end the SSO session.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
----- Original Message -----
From: "John Rellis" <john.d...@gmail.com>
To: "CAS Community" <cas-...@apereo.org>
Sent: Friday, May 20, 2016 9:49:05 AM
Subject: [cas-user] Help Connecting Initial Pieces (Shiro, Grails and CAS)
Hey folks,
Apologies for the broad scope of this post. I've been reading the docs
individual piece I am having trouble deciphering how these pieces fit
together for my use case.
Right now, I have 4 grails applications that have 4 different databases
containing user information. The applications currently use Shiro to
authenticate users. The goal is to implement single sign on in these
applications.
I have cloned the cas-overlay-template project, created the war and
launched it in tomcat and can login using the default user and I'm really
at a "now what?" scenario. I have also included the shiro-cas dependency
in the current projects and read this doc <http://shiro.apache.org/cas.html>
together for my use case.
Right now, I have 4 grails applications that have 4 different databases
containing user information. The applications currently use Shiro to
authenticate users. The goal is to implement single sign on in these
applications.
I have cloned the cas-overlay-template project, created the war and
launched it in tomcat and can login using the default user and I'm really
at a "now what?" scenario. I have also included the shiro-cas dependency
.
This is what I see as our potential process flow, can someone please
correct me if I am going wrong with my understanding of how all this works
and help with some of the questions too, that would be amazing!
1. Do each of these applications need to be configured as services on
the CAS server?
2. User is redirected to CAS
1. this is done through the configuration of shiro as far as I can
tell
3. User enters their login details into CAS
1. where are these details matched against? Can they be matched
against the already existing applications or do I need to create a new
database/service to authenticate against?
4. User is logged into one application
database/service to authenticate against?
5. User hits application 2 where they are not logged in, they are
redirected to CAS, a ticket exists for their login and they are allowed
into application two
My current understanding is that each application needs to be service and a
ticket is generated at the first login that is stored as a cookie and this
ticket is used to allow access to other applications, is this correct?
Thank you in advance!!!!!
John
--
into application two
My current understanding is that each application needs to be service and a
ticket is generated at the first login that is stored as a cookie and this
ticket is used to allow access to other applications, is this correct?
Thank you in advance!!!!!
John
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0892c0a-2e13-49ef-8d90-44aac2ecadc5%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
John Rellis
May 20, 2016, 12:51:40 PM5/20/16
to CAS Community
Carl,
This helps me a lot, thank you.
John
Reply all
Reply to author
Forward
0 new messages