Casshib and Liferay
Martin Haase
banging my head why this won't work: I try to protect the Liferay
portal with a Casshib server. I think I did all the configuration
steps described on the casshib site for casshib, Apache, Tomcat,
Shibboleth SP and IdP, and the application. However, I just come as
far as authenticating at the IdP, and then the CAS server complains:
"Application Not Authorized to Use CAS" with the URL
https://host.tld/casshib/shib/liferay/login?service=https%3A%2F%2Fhost.tld%2Fc%2Fportal%2Flogin
And now I'm stuck. Before posting the relevant configurations
snippets, some remarks:
* I do not use mod_jk but mod_proxy_ajp, however it should work
similarly, I also checked that mounting / unmounting specific URL
paths works
* I put casshib into the tomcat container Liferay provides. A mistake?
* Liferay seems to want to be sitting at the root of the tomcat
container, so I proxied Apache's root to Tomcat's root with the
unmount exceptions as specified at the cassib site
* I am unsure as to what enter as the id element in casshib-service-
registrations.xml:
- in the documentation on the cassib site it says: "The id value
must match the service entityID in the Shibboleth metadata file" i.e.
something like https://host.tld/casshib/liferay
- in the file it says it is the URL CAS will redirect after login
- or, the applications 'home' page
- or, must match the serviceId parameter that CAS clients pass
in ...
These seem to be four contradicting instructions to me.
* Liferay seems to have many paths, all candidates for the id element:
- the root, https://host.tld/, as done below
- /c/portal/login, the URL liferay redirects to for a login /web/
guest (this I tried, too)
- /web/guest
- /web/guest/home
- /de/web/guest
- /de/web/guest/home
- /de/user/*/home
And I also tried configuring all of them...
* Liferay uses the JA-SIG cas.client.jar version 3.1.9
Any help is highly appreciated.
Best regards,
Martin
The config snippets follow:
----------------------------------------------------------------------
Liferay CAS Config:
Login URL https://host.tld/casshib/shib/liferay/login
Logout URL https://host.tld/casshib/shib/liferay/logout
Server Name https://host.tld
Server URL https://host.tld/casshib/shib/12345
Service URL https://host.tld/c/portal/login
----------------------------------------------------------------------
Casshib config (casshib-service-registrations.xml):
<service id="https://host.tld" appname="liferay" passcode="12345" />
----------------------------------------------------------------------
Apache config (using mod_proxy_ajp):
# these paths should not be proxied, see apache documentation for
mod_proxy
ProxyPass /casshib/shib/liferay/Shibboleth.sso/*/*/* !
ProxyPass /casshib/shib/liferay/Shibboleth.sso/*/* !
ProxyPass /casshib/shib/liferay/Shibboleth.sso/* !
ProxyPass /casshib/shib/liferay/Shibboleth.sso !
# ...and the rest goes to
Tomcat
ProxyPass / ajp://localhost:8009/ retry=5
[...]
UseCanonicalName On
<Location /casshib/shib/*/login>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
<Location /casshib/shib/*/Shibboleth.sso>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
<Location /casshib/shib/*/Shibboleth.sso/*>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
----------------------------------------------------------------------
Shibboleth config:
<Host name="host.tld" port="443" scheme="https">
<PathRegex regex="casshib/shib/liferay"
applicationId="liferay" authType="shibboleth" requireSession="true"/>
</Host>
[...]
<ApplicationOverride id="liferay" entityID="https://host.tld"
REMOTE_USER="shibattr-targeted-id" ...>
<Sessions handlerURL="/casshib/shib/liferay/Shibboleth.sso"
cookieProps="; path=/casshib/shib/liferay" [...]>
[...]
----------------------------------------------------------------------
Martin Haase
just a follow-up to the things I described previously, with more insights.
First, I separated Liferay and casshib into two independent containers,
which turned out to be a good idea.
Using mod_jk instead or mod_proxy_ajp didn't make a difference.
I used now https://host.tld/c/portal/login/ (note the last slash) both
as id in casshib-service-registrations.xml and as Service URL in
Liferay's CAS config.
However, after authenticating at the IdP, the browser returns to
https://host.tld/web/guest/home which shows an anonymous welcome page,
not a personalized one. Why this? I suspect this is because the
attribute transport from the SP via casshib to Liferay is broken.
I tried to prove this using casshib's provided demo application instead
of Liferay, and it turns out that no user attributes except REMOTE_USER
are picked up from the SP. Could someone please verify that this is the
case?
Cheers,
Martin
--
-----------------------------------------------------------------------
Dr. Martin Haase
DAASI International GmbH phone: +49 7071 407109-6
Europaplatz 3 Fax : +49 7071 407109-9
D-72072 Tübingen email: Martin...@DAASI.de
Germany Web : http://www.daasi.de
Directory Applications for Advanced Security and Information Management
-----------------------------------------------------------------------
Martin Haase
thanks for your mail. Actually, I'd missed the user attributes, expecting them higher up on that page. Now I found them, down at the bottom.
However, for the record, Liferay does not seem to be able (yet) to extract those attributes from CAS (and hence Casshib) and use them to create new users. It still (in v6.0.5) needs a specific LDAP to import them from, which of course does not make much sense in the context of a federation.
Another thing, for the mailing list record, if you happen to build casshib.war using Maven, there's a missing dependency in pom.xml in the 3.4.2a bundle. You need to insert the following there before building:
<!-- added support for PrincipalBearingCredentialsAuthenticationHandler -->
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-trusted</artifactId>
<version>${cas.version}</version>
</dependency>Cheers,
Martin
Am 01.10.2010 19:18, schrieb Chivleng Tony Lim:
All my attributes come up fine. Remember to put the prefix in front of your variables.
--
"The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is."
Jonathan Dray
I'm working in a french company called "Social Computing" with Denis
Ah-Kang.
We are trying to make Liferay communicate with a saml2 idp and
casshib.
We followed online documentation and we came to the same conclusions.
After authenticating at the IdP, the browser returns to
https://host.tld/web/guest/home which shows the anonymous welcome
page.
All the attributes are mapped between the idp and the shibboleth sp
and then between the shibboleth sp and casshib. We dumpped the http
header content in casshib to be sure that all the values were properly
populated.
So now we have an issue with Liferay and we don't really understand
the behaviour here.
We have a few questions :
* Is the ldap server mandatory in order to make casshib work with
liferay ?
(It shouldn't be with federation SSO as the idp already handles
the authentication part and returns all the necessary attributes.
Liferay should be able to create users if they don't exist yet without
casshib help)
* What happens if a user that does not exist in Liferay succeffully
logs in at the idp ?
- Liferay tries to create the user in its internal database ?
* How could we get more information on what happens in liferay ?
We tried to switch Lifefray log level to DEBUG for several
components but still didn't find anything useful. Did you manage to
trace the communication between casshib and Liferay ?
Many thanks.
Regards,
Jonathan Dray
Social Computing
jona...@social-computing.com
On 4 oct, 17:53, Martin Haase <martin.ha...@daasi.de> wrote:
> Hi Tony,
>
> thanks for your mail. Actually, I'd missed the user attributes,
> expecting them higher up on that page. Now I found them, down at the
> bottom.
>
> However, for the record, Liferay does not seem to be able (yet) to
> extract those attributes from CAS (and hence Casshib) and use them to
> create new users. It still (in v6.0.5) needs a specific LDAP to import
> them from, which of course does not make much sense in the context of a
> federation.
>
> Another thing, for the mailing list record, if you happen to build
> casshib.war using Maven, there's a missing dependency in pom.xml in the
> 3.4.2a bundle. You need to insert the following there before building:
>
> <!-- added support for PrincipalBearingCredentialsAuthenticationHandler -->
>
> <dependency>
>
> <groupId>org.jasig.cas</groupId>
>
> <artifactId>cas-server-support-trusted</artifactId>
>
> <version>${cas.version}</version>
>
> </dependency>
>
> Cheers,
> Martin
>
> Am 01.10.2010 19:18, schrieb Chivleng Tony Lim:
>
>
>
>
>
> > All my attributes come up fine. Remember to put the prefix in front
> > of your variables.
>
> > <mailto:martin.ha...@daasi.de>> wrote:
>
> > Hi List,
>
> > just a follow-up to the things I described previously, with more
> > insights.
>
> > First, I separated Liferay and casshib into two independent
> > containers,
> > which turned out to be a good idea.
>
> > Using mod_jk instead or mod_proxy_ajp didn't make a difference.
>
> > Liferay's CAS config.
>
> > However, after authenticating at the IdP, the browser returns to
> > attribute transport from the SP via casshib to Liferay is broken.
>
> > I tried to prove this using casshib's provided demo application
> > instead
> > of Liferay, and it turns out that no user attributes except
> > REMOTE_USER
> > are picked up from the SP. Could someone please verify that this
> > is the
> > case?
>
> > Cheers,
> > Martin
>
> > Am 23.09.2010 10:09, schrieb Martin Haase:
> > > Hi!
>
> > > banging my head why this won't work: I try to protect the Liferay
> > > portal with a Casshib server. I think I did all the configuration
> > > steps described on the casshib site for casshib, Apache, Tomcat,
> > > Shibboleth SP and IdP, and the application. However, I just come as
> > > far as authenticating at the IdP, and then the CAS server complains:
>
> > > "Application Not Authorized to Use CAS" with the URL
>
> > > And now I'm stuck. Before posting the relevant configurations
> > > snippets, some remarks:
>
> > > * I do not use mod_jk but mod_proxy_ajp, however it should work
> > > similarly, I also checked that mounting / unmounting specific URL
> > > paths works
>
> > > * I put casshib into the tomcat container Liferay provides. A
> > mistake?
>
> > > * Liferay seems to want to be sitting at the root of the tomcat
> > > container, so I proxied Apache's root to Tomcat's root with the
> > > unmount exceptions as specified at the cassib site
>
> > > * I am unsure as to what enter as the id element in casshib-service-
> > > registrations.xml:
> > > - in the documentation on the cassib site it says: "The id value
> > > must match the service entityID in the Shibboleth metadata file"
> > i.e.
> > > - or, the applications 'home' page
> > > - or, must match the serviceId parameter that CAS clients pass
> > > in ...
> > > These seem to be four contradicting instructions to me.
>
> > > * Liferay seems to have many paths, all candidates for the id
> > element:
> > > guest (this I tried, too)
> > > - /web/guest
> > > - /web/guest/home
> > > - /de/web/guest
> > > - /de/web/guest/home
> > > - /de/user/*/home
> > > And I also tried configuring all of them...
>
> > > * Liferay uses the JA-SIG cas.client.jar version 3.1.9
>
> > > Any help is highly appreciated.
> > > Best regards,
> > > Martin
>
> > > The config snippets follow:
>
> > ----------------------------------------------------------------------
> > > Liferay CAS Config:
>
> > > Login URL https://host.tld/casshib/shib/liferay/login
> > > Logout URL https://host.tld/casshib/shib/liferay/logout
> > > Server URL https://host.tld/casshib/shib/12345
> > > Service URLhttps://host.tld/c/portal/login
> > http://www.daasi.de
>
> > Directory Applications for Advanced Security and Information
> > Management
> > -----------------------------------------------------------------------
>
> > --
> > "The truth is incontrovertible, malice may attack it, ignorance may
> > deride it, but in the end; there it is."
>
> --
> -----------------------------------------------------------------------
> Dr. Martin Haase
> DAASI International GmbH phone: +49 7071 407109-6
> Europaplatz 3 Fax : +49 7071 407109-9
>
> Directory Applications for Advanced Security and Information Management
> -----------------------------------------------------------------------
>
> 4KAfficherTélécharger
Martin Haase
comments inline.
Am 06.10.2010 02:18, schrieb Jonathan Dray:
> Hi Martin,
>
> I'm working in a french company called "Social Computing" with Denis
> Ah-Kang.
> We are trying to make Liferay communicate with a saml2 idp and
> casshib.
> We followed online documentation and we came to the same conclusions.
>
> After authenticating at the IdP, the browser returns to
> https://host.tld/web/guest/home which shows the anonymous welcome
> page.
> All the attributes are mapped between the idp and the shibboleth sp
> and then between the shibboleth sp and casshib. We dumpped the http
> header content in casshib to be sure that all the values were properly
> populated.
>
> So now we have an issue with Liferay and we don't really understand
> the behaviour here.
> We have a few questions :
>
> * Is the ldap server mandatory in order to make casshib work with
> liferay ?
> (It shouldn't be with federation SSO as the idp already handles
> the authentication part and returns all the necessary attributes.
> Liferay should be able to create users if they don't exist yet without
> casshib help)
>
You are right here. It's the CAS module in Liferay that's unable to pick
up the attributes. They seem to be working on it, see this thread:
http://www.liferay.com/community/forums/-/message_boards/message/1758457#_19_message_1944966
...however, they haven't integrated the proposed solution in the 6.0.x
branch yet.
> * What happens if a user that does not exist in Liferay succeffully
> logs in at the idp ?
> - Liferay tries to create the user in its internal database ?
>
This is the point. Tony Lim wrote to me: "Liferay has a
pre-authentication and post-authentication module. You can use that to
create users from CAS." I haven't tried that yet, as my task was just to
evaluate Liferay-Shib integration, not building/programming a solution.
> * How could we get more information on what happens in liferay ?
> We tried to switch Lifefray log level to DEBUG for several
> components but still didn't find anything useful. Did you manage to
> trace the communication between casshib and Liferay ?
>
Logging is poor in Liferay, I also didn't find anything sensible. What I
did was to ensure casshib's demo application gets the attributes, to be
sure the whole configuration was working and it was just Liferay being
unable to pick up the attributes.
Regards,
Martin
PS. You are aware of the various ShibbolethAutoLogin.java modules
floating around in the Web? If you are willing to program a solution,
these might serve as a starting point.
D-72072 Tübingen email: Martin...@DAASI.de