topic Re: Alfresco 5.2 SSO-CAS question in Alfresco Forum

Alfresco 5.2 SSO-CAS question

os_cerna — Tue, 22 Aug 2017 18:43:01 GMT

Hi everyone,I am writing this because i want to set up external authentication on my Alfresco app, looking on the official 5.2 documentation there's a section that explains a little on how SSO-CAS can be used, however there are no instructions on how to set it up, i say this because on this link Usi

Re: Alfresco 5.2 SSO-CAS question

douglascrp — Wed, 23 Aug 2017 01:03:41 GMT

I have not tried CAS with 5.2, but I know about the following project that I used in the past with an older version of Alfresco.

Not working with 5.2 · Issue #3 · wrighting/alfresco-cas · GitHub

As you can see, the issue says it does not work with 5.2 because of a know bug

Re: Alfresco 5.2 SSO-CAS question

arebegea — Wed, 23 Aug 2017 10:01:31 GMT

It should work : [ACE-5661] External authentication Problem with CAS - Alfresco JIRA should have fixed it.

Using CAS is not encouraged, as that authentication scheme is rather unstable, and there are efforts towards implementing other new standards.

Re: Alfresco 5.2 SSO-CAS question

idwright — Thu, 24 Aug 2017 12:33:33 GMT

A few points here:

The issue Douglas C. R. Paes‌ refers to relates to the wrighting/alfresco-cas project on github which uses the CAS java filters not mod_auth_cas

CAS itself is widely used, well maintained and stable - trying to use it with Alfresco is, shall we say, interesting...

mod_auth_cas is less well maintained, although better than it was (hence the reason for using the java client) (OS repos are out of date so it works better if you build from source)

wrighting/alfresco-cas can be made to work with 5.2, if you use the ACE-5661 branch, but it requires replacing the share web.xml which is not ideal and is why it hasn't been released as a version (this is done in the amp if you clone the branch and build it) - the master branch/current version will work with 5.1 without changing web.xml

(I haven't done too much testing with 5.2 in general, or this in particular, but I believe it works)

I am aware this is likely to change in the not too distant future but that's the current state of play as I understand it.

Re: Alfresco 5.2 SSO-CAS question

os_cerna — Thu, 24 Aug 2017 15:32:36 GMT

Thanks a lot, i will try to make it work then

Re: Alfresco 5.2 SSO-CAS question

cesarista — Wed, 30 Aug 2017 17:20:05 GMT

Hi Ian Wright, here my test with Alfresco 201707GA and CAS Server 3.5.1:

- I cloned ACE-5661 branch and I maven package generating the share AMP. When applying I checked web.xml is being replaced.

- I edited the /etc/java-cas-client.properties according the instructions in Alfresco server as pointed here --> alfresco-cas/alfresco-cas-share-amp at ACE-5661 · wrighting/alfresco-cas · GitHub

- I edited alfresco-global.properties for setting external authentication --> Configuring external authentication | Alfresco Documentation

- I'm not sure if need to change share-config-custom.xml according --> Configuring Alfresco Share to use an external SSO | Alfresco Documentation

But I got this error in catalina.out when redirecting from cas server.

GRAVE: El Servlet.service() para el servlet [Spring Surf Dispatcher Servlet] en el contexto con ruta [/share] lanzó la excepción [org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.] con causa raíz
org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server at
org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:98)
.
.
2017-08-30 19:07:12,658 ERROR [alfresco.web.site] [http-apr-8080-exec-10] javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.
org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server. at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:98)

Am I missing something ? Shoud be used Cas30ServiceTicketValidator instead Cas20ServiceTicketValidator as configured in /etc/java-cas-client.properties ?

Regards.

--C.

Re: Alfresco 5.2 SSO-CAS question

idwright — Thu, 31 Aug 2017 07:42:00 GMT

Firstly that's a really old CAS version, and is out of support, you should be looking to move to 5.1.x (shouldn't cause any problems though)

You do need to edit share-config-custom.xml (although you can build the amp from source using the local profile and appropriate properties) but it's not getting that far. Ref: alfresco-cas/share-config-custom.xml at master · wrighting/alfresco-cas · GitHub

That being said I suspect the problem might be in your CAS configuration - my guess is that the CAS client is failing to parse the CAS server response correctly.(could be an error response of some kind)

It doesn't need any special config other than to have the URL matching a registered service (mine is a bit more complicated using the usernameAttributeProvider but again that shouldn't make any difference)

I'd start by looking in the CAS server logs, then if that doesn't help, see if I can look at the incoming CAS response by changing logging config.

Cas30ServiceTicketValidator extends Cas20ServiceTicketValidator so that is why the exception appears to come from an unexpected class.

Re: Alfresco 5.2 SSO-CAS question

cesarista — Thu, 31 Aug 2017 08:26:07 GMT

Thanks for your message and detailed answer @Ian Wright

Yes, it is a quite old CAS for dev and testing purposes. I configured CAS with Alfresco 4.0 and Alfresco 4.2 in the past. The CAS server logs show that authentication succeeded, the ticket is sent and there are no obvious errors or communication problems.

Maybe the CAS client jar included in the AMP is too new for this CAS server version. Will be possible to change CAS client version ?

From your message, I did not understand this part. May you clarify it a little bit more ?

It doesn't need any special config other than to have the URL matching a registered service (mine is a bit more complicated using the usernameAttributeProvider but again that shouldn't make any difference)

Regards and thanks in advance.

--C.

Re: Alfresco 5.2 SSO-CAS question

idwright — Thu, 31 Aug 2017 08:32:33 GMT

It should be possible to just change the cas client jar if you want to try that.

We use email address to login but use uid as the alfresco username so CAS is configured to return the uid instead of mail as the principal.

The CAS client github page might help GitHub - apereo/java-cas-client: Apereo Java CAS Client

Re: Alfresco 5.2 SSO-CAS question

pcharsle — Mon, 28 May 2018 03:59:41 GMT

We use mod_auth_cas. We've just upgraded from 5.1.3 to 5.2.3. We followed the instructions at Using Alfresco with CAS authentication through Apache mod_auth_cas | Alfresco Documentation .

We use the Apereo CAS 5.2.4 server and have found it to be reliable.