[cas-user] Configuring CAS to trust/replace Luminis CAS.
Ben Branch
Hello everyone,
Recently after getting our CAS test infrastructure built, I was asked to see if it was possible for us to either replace our Luminis CAS implementation with an external CAS or build a trust between the too. We opted to try and build a trust between the two.
To assist us with this, we found the following documentation:
1. CAS and Luminis 4: Using External/Central CAS - http://www.lumdev.net/node/3153
2. Trusting another CAS Server - http://www.usask.ca/docs/cas/trusting.html
3. Trusted Authentication Handler - https://wiki.jasig.org/display/CASUM/Trusted
Document #1 advises us how to configure the Luminis CAS portion, which we have done and don’t appear to be having any issues.
Document #2 advises us to make a small change to the AJP 1.3 connector in Tomcat, and then compile the mod_auth_cas Apache module. This document also advises us how to configure apache to accept the CAS connections.
Document #3 tells us how we should configure our Central CAS to trust other incoming CAS connections.
Now for the problems…
PROBLEM #1:
Document #2 says that we need to compile the apache mod_auth_cas module. Not a problem. We download it, it appears to compile fine, but when we try to start apache with the module, I get the following error:
Starting httpd: httpd: Syntax error on line 208 of /etc/httpd/conf/httpd.conf: Cannot load /etc/httpd/modules/mod_auth_cas.so into server: /etc/httpd/modules/mod_auth_cas.so: undefined symbol: CRYPTO_THREADID_get_id_callback
I went back and recompiled the module, this time I noticed something that I didn’t catch before.
./configure output - http://pastebin.com/3xCG6x67
Make ; make install output - http://pastebin.com/DrMjgQK3
This is what caught my eye:
mod_auth_cas.c: In function âcas_post_configâ:
mod_auth_cas.c:2027: warning: implicit declaration of function âCRYPTO_THREADID_get_id_callbackâ
mod_auth_cas.c:2027: warning: comparison between pointer and integer
mod_auth_cas.c:2029: warning: implicit declaration of function âCRYPTO_THREADID_set_id_callbackâ
Reviewing the Official CAS Clients on the JASIG site ( https://wiki.jasig.org/display/CASC/RPM+Modules ) reveals that this issue should have been resolved by an updated version of the mod_auth_cas module. I verified that I have downloaded this version, yet I am still getting the error. From the CHANGELOG:
%changelog
* Tue Nov 09 2011 <jehan.p...@it-sudparis.eu> - 1.0.9.1-1
- updated to mod_auth_cas-1.0.9.1.tar.gz
- updated build centos from openssl-1.0.0-4.el6_0.2.i686 to openssl-1.0.0-10.el6_1.5.i688
+ modified src/mod_auth_cas.h because of "mod_auth_cas.so: undefined symbol: CRYPTO_THREADID_get_id_callback" :
/* https://issues.jasig.org/browse/MAS-47 */
#define CRYPTO_THREADID_get_id_callback() CRYPTO_THREADID_get_callback()
#define CRYPTO_THREADID_set_id_callback(callback) CRYPTO_THREADID_set_callback(callback)
Here is my version of OpenSSL:
[root@pomona lib64]# rpm -q --file /usr/lib64/libssl.so.10
openssl-1.0.0-20.el6.x86_64
My version of Apache:
[root@pomona sbin]# ./httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: Oct 6 2011 11:06:33
[root@pomona sbin]#
PROBLEM #2:
Following the official JASIG documentation (Document #3 above) we were able to compile our war file with the cas-server-support-trusted artifact. We tried to configure the login webflow via the /WEB-INF/login-webflow.xml. We added the appropriate action-state as advised in the document. We found in the document that we needed to update 2 decision-states and 1 other action-state (gatewayRequestCheck, renewRequestCheck, and generateServiceTicket) from viewLoginForm to remoteAuthenticate. These 2 decision-states and the single action-state are not in the login-webflow.xml.
Further in the documentation we need to modify the cas-servlet.xml. It advises us to add a bean into the authenticationManager and another one into the authenticationHandlers. We made all of the necessary changes and when we would try to access our login page, we would get an error stating that the service was unavailable. Reviewing the tomcat logs showed that we were getting Error 500 on /cas/login landing page. Additional review of the localhost logs showed the following:
SEVERE: Servlet.service() for servlet [cas] in context with path [/cas] threw exception [Request processing failed; nested exception is org.springframework.webflow.definition.registry.FlowDefinitionConstructionException: An exception occurred constructing the flow 'login'] with root cause
org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'transistion'. One of '{"http://www.springframework.org/schema/webflow":evaluate, "http://www.springframework.org/schema/webflow":render, "http://www.springframework.org/schema/webflow":set, "http://www.springframework.org/schema/webflow":transition, "http://www.springframework.org/schema/webflow":on-exit, "http://www.springframework.org/schema/webflow":exception-handler}' is expected.
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:195)
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:131)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:384)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:318)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:417)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3182)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:1806)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.emptyElement(XMLSchemaValidator.java:725)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:377)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2756)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:140)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:808)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119)
at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:235)
at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:284)
at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:124)
at org.springframework.webflow.engine.model.builder.xml.DefaultDocumentLoader.loadDocument(DefaultDocumentLoader.java:113)
at org.springframework.webflow.engine.model.builder.xml.XmlFlowModelBuilder.init(XmlFlowModelBuilder.java:113)
at org.springframework.webflow.engine.model.builder.DefaultFlowModelHolder.assembleFlowModel(DefaultFlowModelHolder.java:87)
at org.springframework.webflow.engine.model.builder.DefaultFlowModelHolder.getFlowModel(DefaultFlowModelHolder.java:61)
at org.springframework.webflow.engine.builder.model.FlowModelFlowBuilder.doInit(FlowModelFlowBuilder.java:146)
at org.springframework.webflow.engine.builder.support.AbstractFlowBuilder.init(AbstractFlowBuilder.java:46)
at org.springframework.webflow.engine.builder.FlowAssembler.assembleFlow(FlowAssembler.java:90)
at org.springframework.webflow.engine.builder.DefaultFlowHolder.assembleFlow(DefaultFlowHolder.java:109)
at org.springframework.webflow.engine.builder.DefaultFlowHolder.getFlowDefinition(DefaultFlowHolder.java:84)
at org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl.getFlowDefinition(FlowDefinitionRegistryImpl.java:61)
at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:138)
at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:193)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(SafeDispatcherServlet.java:115)
at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advice(SafeDispatcherServlet.java:44)
at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:1)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
I’m very uncertain where to go from here with this. The only way I was able to get my CAS back in working order was to revert all of my changes that I had made. Any help in this matter would be greatly appreciated.
Ben Branch
Sun Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+
100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.edu | www.uco.edu
“If you wish to know your past, look at your present conditions. If you wish to know your future, look at your present actions.” - Siddhartha Gautama
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!
**CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Phil Ames
--
You are currently subscribed to cas-...@lists.jasig.org as: modau...@gmail.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Ben Branch
Phil,
I tried to use the github like that you sent and I am receiving a 404 error. Are you certain this is the right link?
Ben Branch
Sun Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+
100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.edu | www.uco.edu
“If you wish to know your past, look at your present conditions. If you wish to know your future, look at your present actions.” - Siddhartha Gautama
--
You are currently subscribed to cas-...@lists.jasig.org as: bbr...@uco.edu
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
**CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.
--
Phil Ames
Phil,
I tried to use the github like that you sent and I am receiving a 404 error. Are you certain this is the right link?
Ben Branch
Phil,
Never mind about the git path. Must be been a small network hiccup on my end. It downloaded fine.
Ben Branch
Sun Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+
100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.edu | www.uco.edu
“If you wish to know your past, look at your present conditions. If you wish to know your future, look at your present actions.” - Siddhartha Gautama
From: phil...@gmail.com [mailto:phil...@gmail.com] On Behalf Of Phil Ames
Sent: Wednesday, January 18, 2012 12:18 PM
To: cas-...@lists.jasig.org
Cc: Matt Smith
Subject: Re: [cas-user] Configuring CAS to trust/replace Luminis CAS.
--
You are currently subscribed to cas-...@lists.jasig.org as: bbr...@uco.edu
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
**CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.
--
Ben Branch
Many thanks for the info on git. I've never used it before. I was able to get the mod_auth_cas to compile and come up in apache. I found that my other issue was that I had misspelled 'transition' in my login-webflow.xml.
We are still having issues with getting the 2 CAS systems to trust each other, but before I make another post I need to make sure we have done everything properly on our end. I will keep everyone informed of our progress.
Benjamin
________________________________________
From: phil...@gmail.com [phil...@gmail.com] On Behalf Of Phil Ames [modau...@gmail.com]
Sent: Wednesday, January 18, 2012 1:54 PM
To: cas-...@lists.jasig.org
Cc: Matt Smith
Subject: Re: [cas-user] Configuring CAS to trust/replace Luminis CAS.
On Wed, Jan 18, 2012 at 2:44 PM, Ben Branch <BBr...@uco.edu<mailto:BBr...@uco.edu>> wrote:
Phil,
I tried to use the github like that you sent and I am receiving a 404 error. Are you certain this is the right link?
You need to use the git version control command, not a web browser:
$ git clone https://github.com/Jasig/mod_auth_cas.git
Cloning into 'mod_auth_cas'...
remote: Counting objects: 1076, done.
remote: Compressing objects: 100% (535/535), done.
remote: Total 1076 (delta 577), reused 1032 (delta 536)
Receiving objects: 100% (1076/1076), 655.04 KiB, done.
Resolving deltas: 100% (577/577), done.
vs.
$ curl -I https://github.com/Jasig/mod_auth_cas.git
HTTP/1.1 404 Not Found
Date: Wed, 18 Jan 2012 19:53:48 GMT
[...]
Ben Branch
Sun Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+
100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649<tel:405.974.2649> | M: 405.550.6804<tel:405.550.6804> | bbranch@uco.<mailto:bbranch@uco.>edu | www.uco.edu<http://www.uco.edu/>
"If you wish to know your past, look at your present conditions. If you wish to know your future, look at your present actions." - Siddhartha Gautama
From: phil...@gmail.com<mailto:phil...@gmail.com> [mailto:phil...@gmail.com<mailto:phil...@gmail.com>] On Behalf Of Phil Ames
Sent: Wednesday, January 18, 2012 12:18 PM
To: cas-...@lists.jasig.org<mailto:cas-...@lists.jasig.org>
Cc: Matt Smith
Subject: Re: [cas-user] Configuring CAS to trust/replace Luminis CAS.
On Wed, Jan 18, 2012 at 1:08 PM, Ben Branch <BBr...@uco.edu<mailto:BBr...@uco.edu>> wrote:
Hello everyone,
Recently after getting our CAS test infrastructure built, I was asked to see if it was possible for us to either replace our Luminis CAS implementation with an external CAS or build a trust between the too. We opted to try and build a trust between the two.
To assist us with this, we found the following documentation:
1. CAS and Luminis 4: Using External/Central CAS - http://www.lumdev.net/node/3153
2. Trusting another CAS Server - http://www.usask.ca/docs/cas/trusting.html
3. Trusted Authentication Handler - https://wiki.jasig.org/display/CASUM/Trusted
Document #1 advises us how to configure the Luminis CAS portion, which we have done and don't appear to be having any issues.
Document #2 advises us to make a small change to the AJP 1.3 connector in Tomcat, and then compile the mod_auth_cas Apache module. This document also advises us how to configure apache to accept the CAS connections.
Document #3 tells us how we should configure our Central CAS to trust other incoming CAS connections.
Now for the problems...
PROBLEM #1:
Document #2 says that we need to compile the apache mod_auth_cas module. Not a problem. We download it, it appears to compile fine, but when we try to start apache with the module, I get the following error:
Starting httpd: httpd: Syntax error on line 208 of /etc/httpd/conf/httpd.conf: Cannot load /etc/httpd/modules/mod_auth_cas.so into server: /etc/httpd/modules/mod_auth_cas.so: undefined symbol: CRYPTO_THREADID_get_id_callback
I went back and recompiled the module, this time I noticed something that I didn't catch before.
./configure output - http://pastebin.com/3xCG6x67
Make ; make install output - http://pastebin.com/DrMjgQK3
This is what caught my eye:
mod_auth_cas.c: In function âcas_post_configâ:
mod_auth_cas.c:2027: warning: implicit declaration of function âCRYPTO_THREADID_get_id_callbackâ
mod_auth_cas.c:2027: warning: comparison between pointer and integer
mod_auth_cas.c:2029: warning: implicit declaration of function âCRYPTO_THREADID_set_id_callbackâ
Reviewing the Official CAS Clients on the JASIG site ( https://wiki.jasig.org/display/CASC/RPM+Modules ) reveals that this issue should have been resolved by an updated version of the mod_auth_cas module. I verified that I have downloaded this version, yet I am still getting the error. From the CHANGELOG:
%changelog
* Tue Nov 09 2011 <jehan.p...@it-sudparis.eu<mailto:jehan.p...@it-sudparis.eu>> - 1.0.9.1-1
PROBLEM #2:
D: 405.974.2649<tel:405.974.2649> | M: 405.550.6804<tel:405.550.6804> | bbranch@uco.<mailto:bbranch@uco.>edu | www.uco.edu<http://www.uco.edu/>
"If you wish to know your past, look at your present conditions. If you wish to know your future, look at your present actions." - Siddhartha Gautama
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!
**CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.
--
You are currently subscribed to cas-...@lists.jasig.org<mailto:cas-...@lists.jasig.org> as: modau...@gmail.com<mailto:modau...@gmail.com>
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org<mailto:cas-...@lists.jasig.org> as: bbr...@uco.edu<mailto:bbr...@uco.edu>
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!
**CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.
--
You are currently subscribed to cas-...@lists.jasig.org<mailto:cas-...@lists.jasig.org> as: modau...@gmail.com<mailto:modau...@gmail.com>
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: bbr...@uco.edu
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!
**CONFIDENTIALITY** This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.
--
Ben Branch
All,
We have worked now for a few weeks to try and build a trust between a Luminis 4/CAS2 implementation with a CAS 3.4.10 Stand Along Server. We are having a great deal of trouble with this and we aren’t sure if we are heading in the right direction. Has anyone on here been able to get this to work? If so, would you be so kind as to share some of your thoughts and documentation on how you were able to accomplish this.
Marvin Addison
> Luminis 4/CAS2 implementation with a CAS 3.4.10 Stand Along Server.
I'm pretty sure folks in the community have done this. We've done the
Banner/CAS integration via BEIS, which may be relevant for Luminis/CAS
integration. Pretty sure it ought to be doable in any case. Let's
start with your general integration plan and then address some
specific obstacles you've encountered.
M
Ben Branch
We have been following these documents to configure the trust:
1. CAS and Luminis 4: Using External/Central CAS - http://www.lumdev.net/node/3153
2. Trusting another CAS Server - http://www.usask.ca/docs/cas/trusting.html
3. Trusted Authentication Handler - https://wiki.jasig.org/display/CASUM/Trusted
After reading these and following these, we're not able to determine if this is even the proper documentation to follow. I'm not sure how to determine if the trust even works. We aren't able to follow the test conditions mentioned in the lumdev document. It states that we should be able to login to the Portal/CAS2 environment, and then login to a service that uses the CAS 3.4.10 instance (without having to login a second time) and it should allow the service to be accessed. This fails for us. I'm open to any suggestions at this point and your help is greatly appreciated.
Ben Branch
Sun Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+
100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbr...@uco.edu | www.uco.edu
"If you wish to know your past, look at your present conditions. If you wish to know your future, look at your present actions." - Siddhartha Gautama
-----Original Message-----
From: Marvin Addison [mailto:marvin....@gmail.com]
Sent: Tuesday, January 31, 2012 7:47 AM
To: cas-...@lists.jasig.org
Subject: Re: [cas-user] Configuring CAS to trust/replace Luminis CAS.
> We have worked now for a few weeks to try and build a trust between a
> Luminis 4/CAS2 implementation with a CAS 3.4.10 Stand Along Server.
I'm pretty sure folks in the community have done this. We've done the Banner/CAS integration via BEIS, which may be relevant for Luminis/CAS integration. Pretty sure it ought to be doable in any case. Let's start with your general integration plan and then address some specific obstacles you've encountered.
M
--
You are currently subscribed to cas-...@lists.jasig.org as: bbr...@uco.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!
**CONFIDENTIALITY** This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.
Marvin Addison
>
> 1. CAS and Luminis 4: Using External/Central CAS - http://www.lumdev.net/node/3153
> 2. Trusting another CAS Server - http://www.usask.ca/docs/cas/trusting.html
> 3. Trusted Authentication Handler - https://wiki.jasig.org/display/CASUM/Trusted
I think I understand the integration strategy described above. I
would avoid that strategy if possible. I would find it preferable to
simply _replace_ the bundled CAS in Luminis with an external
(presumably existing) enterprise CAS server. Have you considered that
approach?
M
--
Ben Branch
We have considered replacing the Luminis CAS with a Stand Alone CAS. With that said, I am not our Luminis/Portal Admin, I am unsure how we would go about "ripping" out the CAS2 piece from Luminis and instituting our CAS 3.4.10 server. This may be something that I need to discuss with my portal admin, but I'm not sure that he would have the answer either. We have asked SunGard HE if this was possible, and they have advised us that it wasn't and that professional services could assist us in coming up with a solution. I find it hard to believe that we can't make this work, without professional services, given the documentation that shows it clearly can.
Many thanks for your help in this matter,
Ben Branch
Sun Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+
100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbr...@uco.edu | www.uco.edu
"If you wish to know your past, look at your present conditions. If you wish to know your future, look at your present actions." - Siddhartha Gautama
-----Original Message-----
From: Marvin Addison [mailto:marvin....@gmail.com]
Sent: Tuesday, January 31, 2012 12:47 PM
To: cas-...@lists.jasig.org
Subject: Re: [cas-user] Configuring CAS to trust/replace Luminis CAS.
> We have been following these documents to configure the trust:
>
> 1. CAS and Luminis 4: Using External/Central CAS -
> http://www.lumdev.net/node/3153 2. Trusting another CAS Server -
> http://www.usask.ca/docs/cas/trusting.html
> 3. Trusted Authentication Handler -
> https://wiki.jasig.org/display/CASUM/Trusted
I think I understand the integration strategy described above. I would avoid that strategy if possible. I would find it preferable to simply _replace_ the bundled CAS in Luminis with an external (presumably existing) enterprise CAS server. Have you considered that approach?
M
--
You are currently subscribed to cas-...@lists.jasig.org as: bbr...@uco.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!
**CONFIDENTIALITY** This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.
--
Marvin Addison
I can sympathize with your situation, so I took the time to ask around
here about the state of things. It is as I thought: we decided upon
an integration strategy between Luminis and an external CAS server
that leverages the BEIS components. While we never actually
implemented that particular integration option (due to ditching
Luminis), we have integrated other Sungard components with our
enterprise CAS service, and that gives me confidence to say that
Luminis can be made to work similarly.
Based on a brief conversation I had with the project manager on
Sungard/CAS integration here, Ken McCrery, it sounds like a fairly
difficult undertaking in large part due to undocumented functionality:
"[The BEIS handbook] contains a sections on Luminis configuration.
One word of caution is that these documents do not always contain the
entire story. We found over the years that we needed SGHE consultants
to provide some of the finer details to actually make some of these
components work. In other words, I wouldn't get too bogged down
trying to make something work if it doesn't make sense."
While I cannot redistribute the BEIS Handbook Ken mentioned, I'm quite
certain you can get a hold of it. The full title:
BANNER ENTERPRISE IDENTITY SERVICES HANDBOOK
Release 8.1.4
Good luck on your adventure.
M
--