CAS Proxy

[Bryan Wooten]

All,

I am trying to implement our first CAS proxy.

I have read https://apereo.github.io/cas/5.0.x/installation/Configuring-Proxy-Authentication.html

This is our exact use case. But I am having trouble truly understanding.

Currently our JSON service registry has this entry for the desired server:

    "@class": "org.apereo.cas.services.RegexRegisteredService",

    "serviceId": "^https://gatetest.acs.utah.edu/.*",

    "name": "testCis",

    "id": 4,

    "description": "Test Portal",

    "evaluationOrder": 4,

    "proxyPolicy": {

        "@class": "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",

        "pattern": "^https?://.*"

    },

    "accessStrategy": {

        "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",

        "enabled": true,

        "ssoEnabled": true

    }

}

Our CAS server is behind a Citrix Load Balancer that does SSL termination. So I am not sure if I need SSL on the CAS server itself for this.

Also my JSON service registry file does not seem to match this (from above link):

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://.+",

  "name" : "test",

  "id" : 1,

  "evaluationOrder" : 0,

  "attributeReleasePolicy" : {

    "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",

    "principalAttributesRepository" : {

      "@class" : "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository"

    },

    "authorizedToReleaseCredentialPassword" : false,

    "authorizedToReleaseProxyGrantingTicket" : true

  },

  "publicKey" : {

    "@class" : "org.apereo.cas.services.RegisteredServicePublicKeyImpl",

    "location" : "classpath:RSA1024Public.key",

    "algorithm" : "RSA"

  }

}

All endpoints are Java.

I would love examples of client side Java filter configuration and CAS server side JSON service registry configuration.

Do I really need SSL and associated keys if the Load Balancer is doing SSL offloading?

Thanks for any and all help,

Bryan

University of Utah

[Tepe, Dirk]

The use of public key in service configuration is not related to a client web browser connecting to your CAS server over https. CAS requires the use public/private keys when releasing sensitive information as part of the returned attributes. The proxy service is one such case due to the option to return the PGT-IOU as an attribute rather than requiring the target application to provide a pgtURL. This is documented here:

https://apereo.github.io/cas/5.3.x/installation/Configuring-Proxy-Authentication.html#pgt-in-validation-response

You should only implement this if your use case fits the description in the first paragraph. Knowing if you are using a pgtURL callback or attribute release will help to answer other questions.

-dirk

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUzXxsnRdGebkP5bvGr4ckLeGQ45YmrGsKB_-5zQ9_YEA%40mail.gmail.com.