Alfresco 5.2 SSO-CAS question

cancel
Showing results for 
Search instead for 
Did you mean: 
os_cerna
Active Member

Alfresco 5.2 SSO-CAS question

Hi everyone,

I am writing this because i want to set up external authentication on my Alfresco app, looking on the official 5.2 documentation there's a section that explains a little on how SSO-CAS can be used, however there are no instructions on how to set it up, i say this because on this link Using Alfresco with CAS authentication through Apache mod_auth_cas | Alfresco Documentation  it is explained but is the 5.0 documentation, can i used it? will it work on 5.2?

thanks a lot

9 Replies
douglascrp
Advanced II

Re: Alfresco 5.2 SSO-CAS question

I have not tried CAS with 5.2, but I know about the following project that I used in the past with an older version of Alfresco.

Not working with 5.2 · Issue #3 · wrighting/alfresco-cas · GitHub 

As you can see, the issue says it does not work with 5.2 because of a know bug

arebegea
Member II

Re: Alfresco 5.2 SSO-CAS question

It should work : [ACE-5661] External authentication Problem with CAS - Alfresco JIRA  should have fixed it.

Using CAS is not encouraged, as that authentication scheme is rather unstable, and there are efforts towards implementing other new standards.

idwright
Senior Member

Re: Alfresco 5.2 SSO-CAS question

A few points here:

The issue Douglas C. R. Paes‌ refers to relates to the wrighting/alfresco-cas project on github which uses the CAS java filters not mod_auth_cas

CAS itself is widely used, well maintained and stable - trying to use it with Alfresco is, shall we say, interesting...

mod_auth_cas is less well maintained, although better than it was (hence the reason for using the java client) (OS repos are out of date so it works better if you build from source)

wrighting/alfresco-cas can be made to work with 5.2, if you use the ACE-5661 branch, but it requires replacing the share web.xml which is not ideal and is why it hasn't been released as a version (this is done in the amp if you clone the branch and build it) - the master branch/current version will work with 5.1 without changing web.xml

(I haven't done too much testing with 5.2 in general, or this in particular, but I believe it works)

I am aware this is likely to change in the not too distant future but that's the current state of play as I understand it.

os_cerna
Active Member

Re: Alfresco 5.2 SSO-CAS question

Thanks a lot, i will try to make it work then

cesarista
Customer

Re: Alfresco 5.2 SSO-CAS question

Hi Ian Wright, here my test with Alfresco 201707GA and CAS Server 3.5.1:

 

- I cloned  ACE-5661 branch and I maven package generating the share AMP. When applying I checked web.xml is being replaced.

- I edited the /etc/java-cas-client.properties according the instructions in Alfresco server as pointed here --> alfresco-cas/alfresco-cas-share-amp at ACE-5661 · wrighting/alfresco-cas · GitHub 

- I edited alfresco-global.properties for setting external authentication --> Configuring external authentication | Alfresco Documentation 

- I'm not sure if need to change share-config-custom.xml according --> Configuring Alfresco Share to use an external SSO | Alfresco Documentation 

But I got this error in catalina.out when redirecting from cas server.

GRAVE: El Servlet.service() para el servlet [Spring Surf Dispatcher Servlet] en el contexto con ruta [/share] lanzó la excepción [org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.] con causa raíz
org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server at

org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:98)

.

.

2017-08-30 19:07:12,658 ERROR [alfresco.web.site] [http-apr-8080-exec-10] javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.
org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server. at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:98)

Am I missing something ? Shoud be used Cas30ServiceTicketValidator instead Cas20ServiceTicketValidator as configured in /etc/java-cas-client.properties ?

Regards.

--C.

idwright
Senior Member

Re: Alfresco 5.2 SSO-CAS question

Firstly that's a really old CAS version, and is out of support, you should be looking to move to 5.1.x (shouldn't cause any problems though)

You do need to edit share-config-custom.xml (although you can build the amp from source using the local profile and appropriate properties) but it's not getting that far. Ref: alfresco-cas/share-config-custom.xml at master · wrighting/alfresco-cas · GitHub 

That being said I suspect the problem might be in your CAS configuration - my guess is that the CAS client is failing to parse the CAS server response correctly.(could be an error response of some kind)

It doesn't need any special config other than to have the URL matching a registered service (mine is a bit more complicated using the usernameAttributeProvider but again that shouldn't make any difference)

I'd start by looking in the CAS server logs, then if that doesn't help, see if I can look at the incoming CAS response by changing logging config.

Cas30ServiceTicketValidator extends Cas20ServiceTicketValidator so that is why the exception appears to come from an unexpected class.

cesarista
Customer

Re: Alfresco 5.2 SSO-CAS question

Thanks for your message and detailed answer @Ian Wright

Yes, it is a quite old CAS for dev and testing purposes. I configured CAS with Alfresco 4.0 and Alfresco 4.2 in the past.  The CAS server logs show that authentication succeeded, the ticket is sent and there are no obvious errors or communication problems. 

Maybe the CAS client jar included in the AMP is too new for this CAS server version. Will be possible to change CAS client version ? 

From your message, I did not understand this part. May you clarify it a little bit more ? 

It doesn't need any special config other than to have the URL matching a registered service (mine is a bit more complicated using the usernameAttributeProvider but again that shouldn't make any difference)

Regards and thanks in advance.

--C.

idwright
Senior Member

Re: Alfresco 5.2 SSO-CAS question

It should be possible to just change the cas client jar if you want to try that.

We use email address to login but use uid as the alfresco username so CAS is configured to return the uid instead of mail as the principal.

The CAS client github page might help GitHub - apereo/java-cas-client: Apereo Java CAS Client 

pcharsle
Active Member II

Re: Alfresco 5.2 SSO-CAS question

We use mod_auth_cas. We've just upgraded from 5.1.3 to 5.2.3. We followed the instructions at Using Alfresco with CAS authentication through Apache mod_auth_cas | Alfresco Documentation .

We use the Apereo CAS 5.2.4 server and have found it to be reliable.