I’m not very clear on how Single Log out works with CAS server 4.1 and hope for a clear and simple explanation to help resolve an issue i’m having with my client applications.
Currently SSO works fine with my two applications.
Users can login to application A,B and C, A and B are Ruby on Rails applications using ruby-cas client. C is a Java application using acegi security(Now Spring security)
When users logout of application A, they are redirected to CAS server logout view, but are still logged in to application B,C. Same goes for logging out of B,C.
Is SLO for Cas server 4.1 enabled by default?
Does SLO require any special configuration to work on CAS server?
Is there a way to get and store the cas TGT cookie (value of cas cookie)?
Probably not the ideal Solution but it seems to do the job. Using CAS server 4.1
Edit the ticketGrantingTicketCookieGenerator.xml file in the spring-configuration.
Deploy CAS server as ROOT application, to avoid editing InitialFlowSetupAction.java class.
Changing the path of the cas ticket granting ticket with wildcard domain is not recommended for security reasons. In this particular cas to achieve single logout required it.
First create a filter in your application to save cas ticket granting cookie value to your session and on each request checks that the cookie valued saved in your session matches the cookie value from the request, if not invalidate the session and user will be redirected to CAS login, else it's business as usual.
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
c:casCookieValueManager-ref="cookieValueManager"
p:cookieSecure="true"
p:cookieMaxAge="-1"
p:cookieName="TGC"
p:cookieDomain=".example.org"
p:cookiePath="/"/>
Related
I want to automatically authenticate, 'active directory users', which are logged in to their windows, in my applications.
in short, i want SSO for my applications using windows credentials.
**Client is React and back-end is Java 8 and Spring 4.1.2 and Spring Security is 3.2.5.
I already authenticate and search 'active directory users' in my applications, using spring LDAP 3.2.5.
but users should submit their username and password when they use browser.
I have read about 'Integrated Windows Authentication' (IWA), 'Kerberos', 'NTLM'.
should I use NTLM instead of LDAP ???
or, should I use Kerberos ???
or, should I use ADFS ???
should I config anything in active directory for that ???
**I cant config anything in active directory
should I get windows credentials programmatically in react and send it to server and from server I should send that credentials to active directory to verify it ???
I don't know but, should I say any thing in my 'HTTP response' to 'HTTP OPTION Request' to force browser to set windows credentials in next request ??
and, thanks for your time.
There are a couple ways to do this:
Windows Authentication
This is best for the user as it is a seamless login. If the website is trusted, then the browser will automatically send the credentials of the currently-logged-on user to the site.
In this case, the web server (Tomcat in this case) handles the authentication and passes the credentials to the application. If you were using IIS and Windows, the setup would be super easy. But with Tomcat on Linux, it's a little harder. You need to setup kerberos, which requires setting up SPN (Service Principal Name) values on the domain so that your server is trusted on your domain to authenticate. The full instructions for setting this up in Tomcat 8 are here: Windows Authentication How-To
Once that is setup, your website needs to be trusted by the browsers. If your site is recognized as an intranet site, then this should already be true. If not, then your site's domain needs to be added to the Trusted Sites in the Internet Options on the client computers. This can also be done via Group Policy. That will work for IE and Chrome. Firefox uses its own network.negotiate-auth.delegation-uris setting.
Forms Authentication
Another way is to use a login page to ask the user for their username and password, then authenticate them via LDAP in your Java application code. I will assume you know how to setup a login page, so you just need to know how to verify the credentials. You can use the answer here for that code. That answer has the code in a console app, but you can pull out the code that takes the username and password and verifies it.
This is arguably easier to setup, but at the cost to the user.
We have about a dozen internal admin web apps (mostly Java) that employees use for various workflows, and each of them have their own, disparate sign-in/authentication systems. I've been asked to federate them all together under a single sing-on system. I was handed the following diagram to use as a starting point:
As you can see, each app uses a CAS client to connect to a CAS server. This server also has Apache httpd with a Shibboleth plugin (?) configured. This CAS server then communicates with our Active Directory ("AD") server.
I need to make sure I completely understand how these technologies all work together:
What is happening between the CAS server and Apache/Shibboleth?
What is happening between Apache/Shibboleth and the "Trust Store"?
What is being communicated between the CAS server and AD?
What is stored in this SAML2 token being sent back from the CAS server to each CAS client?
How can I, as a Java developer, do with the SAML2 token (or lack thereof if auth fails) to actually sign users in with?
Are there any better technology choices here: if so what are they, and why? Bear in mind that all of these are Java apps, except one of them, which is a C#.NET app.
Here are a few of your answers:
First, let me give you a quick overview of how the interaction between a CAS client and a CAS server normally works: (I am not familiar with the Shibboleth portion, so I am omitting that.)
User hits the application webpage.
application redirects user to CAS.
CAS, using standard cookies and sessions, determines if user is already logged in.
if User is not logged in, CAS displays a login form for the user to provide login credentials. IF the user is already logged in, CAS skips to step #7.
CAS then interacts with the AD to verify that the provided credentials are valid.
if they are, then CAS logs in the user.
then CAS will redirect back to the application, providing a ticket.
The application makes a direct call to CAS to validate the provided ticket.
If the ticket is valid, then CAS returns user information as a response to the request.
The application then creates an authenticated session for the user, potentially looking up user information based on the info provided by CAS, and redirects them wherever is appropriate.
Now for your questions:
CAS and AD : CAS will actually login to AD and use the user provided credentials to find and authenticate the user. If you are using a forest, make sure you use the correct port to log into the Global Catalog, as that is easy to miss.
The contents of the token are not significant, as the standard CAS protocol will send the token back to CAS and retrieve user details in the response.
As a developer, this is actually very little you can do with the token, as it is tied to the application and can only be used once, and, for security reasons, has to be used within a very short amount of time (ie, sent back to CAS to be validated) or it will expire.
If you are doing primarily CAS and you have the ability to do your own CAS clients in your applications, CAS can be a very nice solution. Unfortunately, CAS does not have full SAML2 support, using it's own protocol instead, though CAS's protocol is very similar to the ARTIFACT profile for SAML2. If you want to integrate with other SAML2 clients, some work needs to be done.
Also, if your java applications happen to use Spring, Spring security includes a CAS client out of the box.
It is also pretty easy to write a custom client as you can see that the protocol is not terribly complex.
Also, while it is a bit more work and can be a pain to set up, if your employees already login to your domain via windows, then you can actually piggy back on that and configure CAS to use the windows login information users have already provided rather than prompting users with a login form making them re-enter their windows credentials.
I am building a small Java (servlet) authentication web application that will be running on Tomcat. The application will authenticate a user and then redirect the user to another web application (on a different server). The problem is that after the user authenticates I need to somehow tell Apache that this session is authenticated and that Apache should redirect (using RewriteRules) the http request to the target web application (and not the one for authentication).
According to my research I have 3 options:
1. After authentication success I redirect to a URL that tells Apache that this session is authenticated (using RewriteRules). I can store this information in Cookie (issue: security) or Apache Environment Variables (issue: clearing inactive Environment variables ...).
2. Use a apache mod for storing sessions in to a database. On auth success I update the database with Java app, apache redirects all requests to target URL (issue: DB access load (up to 500 active concurent users)).
3. HTTP tunneling. But this means that every request for target application is going through my authentication application (issue: redundant, slow, ...)
Is there another way to do this?
What would be the best way to do this?
Thanks a bunch.
A few ways of doing this,
If you can afford an enterprise solution, go with Oracle Identity
Management / Oracle Access Management. It will redirect to a login
page, once login is successful and the right cookie has been added,
all future requests will get a header injected in their requests on
the internal side. Your internal app can key in on the header and
confirm that the user has logged in. To do development, you can run
the secure app without OIM/OAM by using Firefox ModifyHeaders
plugin.
If you cannot afford an enterprise solution, go with OpenIAM, it
does the same thing but at a small scale without reporting and high-availability features.
There might be a third of doing this, but I've never tried it, that
would be by using Apache's authentication modules (or a combination
of them), like http://authmemcookie.sourceforge.net/, or
http://httpd.apache.org/docs/trunk/mod/mod_session.html
Good luck!
We have Windows Active Directory, where all users are registered and use to login in Windows.
We have an Apache server configured to use LDAP to authenticate users in that Active Directory. It's setup so that, in PHP, all we have to do is call $_SERVER['REMOTE_USER']. Browser verifies user login in Windows and sends this data to Apache, which talks to LDAP to verify authentication. When LDAP authenticates, that code returns user's login, otherwise it returns null.
This way we can safely and easily authenticate users inside PHP and use their AD login to control access to our softwares. Another advantage is that we don't need a login page and not even have to handle passwords in variables: authentication is handled transparently to users and they are automatically logged to our softwares all the time, and their password never comes into our code.
I'd like to do the same thing with Servlet. I see no reason for it not happen if it works with PHP. But I can't find how to do it. I googled but couldn't find anything. Has anybody done something like that and could point me a way?
Standard authentication with login and password is working in Java. If I have domain, login and password, (that in Servlet would come from a login page) I can authenticate any user.
What you're looking to do is plug a SSO provider into your web app. There are several options, you will have to do your own research into what will work best in your environment. You might want to investigate the following security frameworks, which all enable SSO:
Apache Shiro
Spring Security
JCIFS
There are also commercial products like CA SiteMinder that do the same thing.
the HttpServletRequest object you have in the doGet and doPost methods on the servlet has the equivalent of PHP $_SERVER['REMOTE_USER'], it is called getRemoteUser().
Your post is tagged as Tomcat. You could add a "realm" in tomcat to do the Authentication.
I have no idea how you can not prompt for a password unless you are using some sort of SASL plugin to verify the user against LDAP.
$_SERVER['REMOTE_USER'] implies you are using "HTTP Authentication" header which would (AFIK) require a popup for the credentials. Perhaps this is transparent if only using IE against a Windows server.
There is an example of how to configure tomcat
I've spent the last day or so looking in CAS and have managed to get the server working with a simple test application. When I enter a protected area, I'm redirect to a login page - when I log in, I'm taken back to my previous page.
From there, the next step would be deploy two client applications, log into client A, visit the client B protected area and have the system handle the authentication for me (since I'm already logged into client A).
This isn't actually working however. I have to log into the client B site whether I'm logged into the client A site or not.
CAS is running on Tomcat, client A and B are the same project deployed as separate wars on a single instance of JBoss AS 6.
Any ideas how I can achieve the suggested behavior?
EDIT: Yes, both are using CAS. The issue is that it doesn't seem to be recognizing that the user is already logged in. It's as if the CAS isn't able to determine that there is a 'link' between the two services and that when one service has been authenticated, the other service should be automatically authenticated.
I should note that at this stage, I am not using SSL within the application. I'm focused on getting a simple example up and going using HTTP before I look at introducing SSL.
Both of your applications need to be configured to use the CAS server for authentication. The normal procedure would be that application A redirects you to your CAS login page, lets you log in and redirects you back to A. If you then try to log into B, it checks with the CAs server whether you're already logged in and, if so, sends back information about the logged in user.
Again, both your applications need to support CAS as a login mechanism, which I am not sure about from your description.
Detailed description of the CAS protocol can be found here.
CAS was working without SSL in that it would take you to the login site and authenticate you correctly. The issue was if you tried to access via another site, it would ask you to sign in again.
Once I enabled SSL and tried it, it was working correctly. Once logged into client A, it would automatically authenticate you in client B. I had spent some time on the wiki and while it spoke of the importance of using SSL, I do not recall it explicitly stating that SSO will not work without SSL enabled. Maybe a warning should be added to the wiki?
If you want to focus on your applications and make your life easier, use a cloud provider for the CAS server: http://www.casinthecloud.com (free servers are available for tests).