Active Directory integration: step-by-step

[Thiago Lima]

I'm familiar with some AD concepts, but not all of them. Is there any walkthrough about setting up an AD server and integrating PAC4J authentication with it?

Thanks in advance.

[Michaël REMOND]

Hello,

Can you explain a little bit what you want to do? 

Do you want to authenticate your users by doing an LDAP bind from pac4j? Then you have to use some credentials collector like a login form hosted on your web application and implement the org.pac4j.http.credentials.UsernamePasswordAuthenticator by delegating to an LDAP API.

Do you want to set up an ADFS configuration and using SAML? Then look at the https://github.com/pac4j/pac4j/blob/master/README-ADFS.txt file and the SAML example in one of our demo.

Regards,

Michaël 

2014-12-10 13:26 GMT+01:00 Thiago Lima <thiag...@beagletech.com.br>:

I'm familiar with some AD concepts, but not all of them. Is there any walkthrough about setting up an AD server and integrating PAC4J authentication with it?

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Thiago Lima]

Hello, Michael.

I understand a bit about LDAP repositories, but know nothing about SAML.

My client requirement is to log in the webapp without using any username/password, considering that the user will be already authenticated in some Active Directory Domain (Windows regular login process). We have some time constraints, so maybe I can convince him to just authenticate against the AD (as in LDAP), but the original requirement is the one described a little above.

Thanks for any help,

	Thiago Lima
	Founder @ Beagle Tech
	+55 81 98333821

[Michaël REMOND]

Ok, I think your customer means Kerberos/SPNEGO authentication. This requires a little set-up but unfortunately pac4j currently does not support this authentication mechanism.

This is a frequently asked question in the Java world. If you use Tomcat for example, you can directly integrate SPNEGO in it http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html.

But I think you are using play; I found this project https://github.com/SlyngDK/play-module-ad-sso but maybe you have better solutions.

If you already use pac4j you can even submit a PR if you do some coding :-)

Good luck

Michaël

[Thiago Lima]

Michael,

I managed to configure Apache as an SPNEGO authentication handler + Proxy to my Play app, but I still need to figure out how to tell PAC4J that the user is authenticated. While fighting this battle, I read a lot of references from PAC4J to CAS, which so far seems to support SPNEGO.

My requirements are not only to do authentication using the Active Directory user base, but also authorization, by restricting access to the app by a couple of user groups. Later, I'll need to know to which group the user belongs, so that I can apply more refined permission rules to my Play controllers and views.

So, before diving deeper into CAS, building/configuring a server, etc, I'd like to know if I'll be able to fulfill all my requirements or, if not all of them, to which extent.

Thanks in advance.

And happy new year to everybody! :)

[Michaël REMOND]

Hello Thiago,

Nice to hear from you again.

Using Apache as an authentication Reverse Proxy can be in effect a solution but it seems the project is rather old. What told you your researches?

Using CAS as an authentication entrypoint is probably a better option. The authorization management can be handled by the fact that CAS can send User Attributes in its validation response. Then what you can do is parse the groups the user belongs to and manage authorization in your application. You got luck, pac4j already has the concept of authorization. We are missing today the part of translate the CAS response in pac4j authorization but this is not difficult and we could develop this functionality with your help (Jérôme what do you think?).

Best regards and happy new year to you

Michaël

[Jérôme LELEU]

Hi,

Indeed, pac4j manage authorizations and the pac4j-cas client will be able to get user attributes.

As recommend per Michaël, the only thing you would need is to create the right AuthorizationGenerator to compute the appropriate roles from the user attributes.

Best regards,

Jérôme LELEU

Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj

Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org