Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] SSO integration - grouper 2.3.0

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] SSO integration - grouper 2.3.0


Chronological Thread 
  • From: Travis Schmidt <>
  • To: "Hyzer, Chris" <>, Jeff McCullough <>
  • Cc: Gouper Users List <>
  • Subject: Re: [grouper-users] SSO integration - grouper 2.3.0
  • Date: Wed, 24 Aug 2016 18:28:11 +0000
  • Ironport-phdr: 9a23:JgwNXhKNM++hkOrngdmcpTZWNBhigK39O0sv0rFitYgULvvxwZ3uMQTl6Ol3ixeRBMOAtKIC1rGd6v2ocFdDyKjCmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TWapAQfERTnNAdzOv+9WsuL15z2hKiO/MiZQxRaiSD5KZhyNhSt502Fs8IWkJlvMI4w0RCPv2NFfeIQyG91cxbbvRvy6I+V97V+9yBXpv0hv5pCXKv0eq8QR7FCDzkiPnFz6cH240rtVwyKs0cGW3sXiVJzCAjA7R3mFsPtqCLkt/E7wyKaOMz6UZg7XD2j6+FgTxq+23RPDCIw7GyC0p84t6lcuh/04kUnm4M=

I was able to get this to work by using the Tomcat integration on the Java CAS Client:


The context definition for Tomcat looks like this:

        <Context docBase="/ucd/opt/grouper-ui/dist/grouper" path="/grouper"
                  reloadable="false"
                  mapperContextRootRedirectEnabled="true"
                  mapperDirectoryRedirectEnabled="true">
          <Realm
             className="org.jasig.cas.client.tomcat.v7.PropertiesCasRealm"
             propertiesFilePath="/etc/tomcat/grouper-users.properties"
          />
          <Valve
            className="org.jasig.cas.client.tomcat.v7.Cas20CasAuthenticator"
            encoding="UTF-8"
            casServerLoginUrl="https://CAS_SERVER/cas/login"
            casServerUrlPrefix="https://CAS_SERVER/cas/"
            serverName="GROUPER_SERVER"
          />

          <!-- Single sign-out support -->
          <Valve
            className="org.jasig.cas.client.tomcat.v7.SingleSignOutValve"
            artifactParameterName="SAMLart"
          />

       </Context>

I didn't need to alter anything in the Grouper UI itself, just need to make sure that the logged in user was searchable by a source.



On Wed, Aug 24, 2016 at 11:12 AM Hyzer, Chris <> wrote:

Is anyone using CAS with Grouper 2.3?  How was it configured?

 

Do we need a servlet filter?

 

https://wiki.jasig.org/display/casc/configuring+the+jasig+cas+client+for+java+in+the+web.xml

 

Thanks

chris

 

 

 

From: Jeff McCullough [mailto:]
Sent: Tuesday, August 23, 2016 3:23 PM


To: Hyzer, Chris <>
Cc: Gouper Users List <>
Subject: Re: [grouper-users] SSO integration - grouper 2.3.0

 

Yes, it doesn’t look like it doesn’t have an effect. 

 

Remote_user in index.jsp. This is the part that displays the username from REMOTE_USER. 

 

<body.

<dl>

        <dt>Your user name:</dt>

        <dd><%= request.getRemoteUser()== null ? "null" : request.getRemoteUser() %></dd>

</dl>

</body>







It is the same call in the index.jsp in the grouper UI root directory.



if(request.getRemoteUser()==null || "y".equals(request.getParameter("badRole"))) {

        location="populateIndex.do";

}else{

        location="home.do";

}%>



Jeff



On Aug 22, 2016, at 8:29 PM, Hyzer, Chris <> wrote:

 

Ok, I need that setting when I do authn with apache, maybe you don’t need it.

 

How do you display REMOTE_USER in jsp exactly?

 

Thanks,

Chris

 

From: Jeff McCullough [] 
Sent: Monday, August 22, 2016 8:47 PM
To: Hyzer, Chris <>
Cc: Gouper Users List <>
Subject: Re: [grouper-users] SSO integration - grouper 2.3.0

 

Hi Chris,

 

For the grouper.ui.authentication.http.header parameter, I tried no value, $REMOTE_USER and REMOTE_USER. None of these changed the error behavior.

 

Tomcat server.xml doesn’t have that or any similar setting. 

 

For diagnostics of tomcat/CAS, I installed a small cas-client app that reads/displays REMOTE_USER via a request.getRemoteUser() call. It works as expected. 

 

Do you have any other ideas?

 

Thanks,

Jeff

 

On Aug 20, 2016, at 7:33 AM, Hyzer, Chris <> wrote:

 

Is it $REMOTE_USER or just REMOTE_USER?   I don’t think you need to change that setting as you said…  but try editing it. 

 

Do you have tomcat server.xml setting:

 

<Connector port="8552" protocol="AJP/1.3" connectionTimeout="600000" request.tomcatAuthentication="false"

      URIEncoding="UTF-8" />

 

Or whatever the tomcat authn setting for your version is…

 

Thanks

Chris

 

From:  [] On Behalf Of Jeff McCullough
Sent: Friday, August 19, 2016 10:35 PM
To: Gouper Users List <>
Subject: [grouper-users] SSO integration - grouper 2.3.0

 

Hi all,

 

I’ve run into a snag with SSO integration this time around. I’ve actually done the procedure multiple times on other versions, and it was very easy to setup, no problems. This time with grouper 2.3.0, no workie.  Here’s what I’ve done:

 

I have the CAS 3.4.2 java client integrated with tomcat version 7 running on java 1.8. 

 

I removed the security-constraints, login-config, and security-role from the web.xml file. 

 

I modified the struts-config.xml with callLogin set to home.do, though the previous step is where I start seeing the below error.

 

This seemed redundant (because REMOTE_USER is the default), but found it in a email thread where someone else was having the same issue.

I modified grouper.ui.authentication.http.header = $REMOTE_USER

 

Lastly I added the debug statement (log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG) in log4j with the result of:

 

2016-08-19 19:24:55,632: [http-bio-8443-exec-2] DEBUG GrouperUiFilter.remoteUser(636) -  - httpServletRequest.getRemoteUser(): null, $REMOTE_USER header: null, REMOTE_USER attribute: null, session.getAttribute(authUser): null, remoteUser overall: null

 

I’ve confirmed that the CAS client is in fact returning REMOTE_USER with correct user id. I modified the index.jsp within the grouper UI to display it, so I know grouper is seeing it. Yet, I get the error message:

 

You have an anonymous session since you are not logged in, but this section requires you to be logged in. Maybe No username found. Your identity provider might not be sending your username to this application. Either you need to use a different identity provider, or ask your IT department to send your username to this application.

 

Thanks in advance for any insights you may have.

 

Cheers,

Jeff

 




Archive powered by MHonArc 2.6.19.

Top of Page