Hyland Connect

A few points here:

The issue Douglas C. R. Paes‌ refers to relates to the wrighting/alfresco-cas project on github which uses the CAS java filters not mod_auth_cas

CAS itself is widely used, well maintained and stable - trying to use it with Alfresco is, shall we say, interesting...

mod_auth_cas is less well maintained, although better than it was (hence the reason for using the java client) (OS repos are out of date so it works better if you build from source)

wrighting/alfresco-cas can be made to work with 5.2, if you use the ACE-5661 branch, but it requires replacing the share web.xml which is not ideal and is why it hasn't been released as a version (this is done in the amp if you clone the branch and build it) - the master branch/current version will work with 5.1 without changing web.xml

(I haven't done too much testing with 5.2 in general, or this in particular, but I believe it works)

I am aware this is likely to change in the not too distant future but that's the current state of play as I understand it.

Thanks a lot, i will try to make it work then

Hi Ian Wright, here my test with Alfresco 201707GA and CAS Server 3.5.1:

- I cloned  ACE-5661 branch and I maven package generating the share AMP. When applying I checked web.xml is being replaced.

- I edited the /etc/java-cas-client.properties according the instructions in Alfresco server as pointed here --> alfresco-cas/alfresco-cas-share-amp at ACE-5661 · wrighting/alfresco-cas · GitHub 

- I edited alfresco-global.properties for setting external authentication --> Configuring external authentication | Alfresco Documentation 

- I'm not sure if need to change share-config-custom.xml according --> Configuring Alfresco Share to use an external SSO | Alfresco Documentation 

But I got this error in catalina.out when redirecting from cas server.

GRAVE: El Servlet.service() para el servlet [Spring Surf Dispatcher Servlet] en el contexto con ruta [/share] lanzó la excepción [org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.] con causa raíz
org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server at

org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:98)

.

.

2017-08-30 19:07:12,658 ERROR [alfresco.web.site] [http-apr-8080-exec-10] javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.
org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server. at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:98)

Am I missing something ? Shoud be used Cas30ServiceTicketValidator instead Cas20ServiceTicketValidator as configured in /etc/java-cas-client.properties ?

Regards.

--C.

Firstly that's a really old CAS version, and is out of support, you should be looking to move to 5.1.x (shouldn't cause any problems though)

You do need to edit share-config-custom.xml (although you can build the amp from source using the local profile and appropriate properties) but it's not getting that far. Ref: alfresco-cas/share-config-custom.xml at master · wrighting/alfresco-cas · GitHub 

That being said I suspect the problem might be in your CAS configuration - my guess is that the CAS client is failing to parse the CAS server response correctly.(could be an error response of some kind)

It doesn't need any special config other than to have the URL matching a registered service (mine is a bit more complicated using the usernameAttributeProvider but again that shouldn't make any difference)

I'd start by looking in the CAS server logs, then if that doesn't help, see if I can look at the incoming CAS response by changing logging config.

Cas30ServiceTicketValidator extends Cas20ServiceTicketValidator so that is why the exception appears to come from an unexpected class.

Thanks for your message and detailed answer @Ian Wright

Yes, it is a quite old CAS for dev and testing purposes. I configured CAS with Alfresco 4.0 and Alfresco 4.2 in the past.  The CAS server logs show that authentication succeeded, the ticket is sent and there are no obvious errors or communication problems. 

Maybe the CAS client jar included in the AMP is too new for this CAS server version. Will be possible to change CAS client version ? 

From your message, I did not understand this part. May you clarify it a little bit more ? 

It doesn't need any special config other than to have the URL matching a registered service (mine is a bit more complicated using the usernameAttributeProvider but again that shouldn't make any difference)

Regards and thanks in advance.

--C.

It should be possible to just change the cas client jar if you want to try that.

We use email address to login but use uid as the alfresco username so CAS is configured to return the uid instead of mail as the principal.

The CAS client github page might help GitHub - apereo/java-cas-client: Apereo Java CAS Client