Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] RE: Grouper CAS -Shib authentication

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] RE: Grouper CAS -Shib authentication


Chronological Thread 
  • From: Travis Schmidt <>
  • To: "Singley, Norman" <>, "Hyzer, Chris" <>, " Mailing List" <>
  • Subject: Re: [grouper-users] RE: Grouper CAS -Shib authentication
  • Date: Wed, 02 Nov 2016 20:33:43 +0000
  • Ironport-phdr: 9a23:mznt5x94T1VtbP9uRHKM819IXTAuvvDOBiVQ1KB70+kcTK2v8tzYMVDF4r011RmSDN+du6kP0rOJ+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2WVTerzWI4CIIHV2nbEwud76zStWZ1p3on8mJuLTrKz1SgzS8Zb4gZD6Xli728vcsvI15N6wqwQHIqHYbM85fxGdvOE7B102kvpT41NdZ/i9Ro/Ms8dJbGeW/JvxgDO8QMDNzeVs04sLvuAiHBS2I/H4VVC9exjxPGQ3M6lfBX5H+tibrnu9m32+HONGwQLwpD3DqpYd6WhLyzG8sNyQ46yuf3sl7jLNJrQiJpgd0hZPMbYeTcvdyY/WZNZkVX21cRstLEjFaD5mnR4oJE+cbO+tE9c/wq0ZGiBK/AQiqC6vLyyRUzDei0rc9zvwsC0TbxwE6BPoPtmjZttP4KP1UXOyomvrm1zLGOs9M0Cn888DzeRAkoP2QFeZsa8PPyFJpDAjFi1SctaTqOjqU0qIGtG3NvLkobv6ml2Ny81I5mTOo3Mp5z9CR3o8=
I only needed to add the CAS jars and change the context in server.xml to this:

        <Context docBase="/ucd/opt/grouper-ui/build/grouper" path="/grouper"
                  reloadable="false"
                  mapperContextRootRedirectEnabled="true"
                  mapperDirectoryRedirectEnabled="true">
          <Realm
             className="org.jasig.cas.client.tomcat.v7.PropertiesCasRealm"
             propertiesFilePath="/etc/tomcat/grouper-users.properties"
          />
          <Valve
            className="org.jasig.cas.client.tomcat.v7.Cas20CasAuthenticator"
            encoding="UTF-8"
            casServerLoginUrl="https://ssodev.ucdavis.edu/cas/login"
            casServerUrlPrefix="https://ssodev.ucdavis.edu/cas/"
            serverName="grouperdev.ucdavis.edu"
          />

          <!-- Single sign-out support -->
          <Valve
            className="org.jasig.cas.client.tomcat.v7.SingleSignOutValve"
            artifactParameterName="SAMLart"
          />

       </Context>

We restrict who can access by the grouper-users.properties that has has format 

LOGIN_ID=grouper_user

I didn't change anything else in the grouper properties or configuration, but did need to make sure that the user logging in was able able to be searched by a source that was configured in sources.xml

Travis


On Wed, Nov 2, 2016 at 1:12 PM Singley, Norman <> wrote:

Hi Chris 

 

Thanks, yes we did add the cas jars to the tomcat library. 

 

I think we need some kind of security restraint in web.xml for cas, but I’m not sure what.  When some entries are there, it will go out to CAS to authenticate, but if I strip them all, then I never see CAS and I get the not-authenticated error. 

 

 

Norman Singley

Directory Services

406 243 6799

 

 

 

 

 

From: Hyzer, Chris [mailto:]
Sent: Wednesday, November 02, 2016 1:02 PM
To: Singley, Norman; Mailing List
Subject: RE: Grouper CAS -Shib authentication

 

I assume you added the cas jars to the tomcat library dir?

 

Does someone know if you need security constraints in web.xml for cas?

 

Maybe you could ask this on a CAS mailing list if someone here cannot help?

 

Thanks

Chris

 

From: [] On Behalf Of Singley, Norman
Sent: Wednesday, November 02, 2016 2:37 PM
To:
Subject: [grouper-users] Grouper CAS -Shib authentication

 

Hi folks.

 

I’m working on this CAS authentication piece for grouper 2.3 again, and I am still stuck.  Here’s the current status. 

 

I removed the security constraints from web.xml files:

 

/grouper/grouper.ws-2.3.0/grouper-ws/webapp/WEB-INF/web.xml

/grouper/grouper.ui-2.3.0/dist/grouper/WEB-INF/web.xml

 

 

 

Now when I hit the url, I don’t seem to get redirected to CAS/Shib.  I don’t get the tomcat 403 error, but the application errors:

 

 

 

 

Anything else I can provide to help troubleshoot?  Again, thanks for all the help.

 

 

Norman Singley

Directory Services

406 243 6799

 

 

JPEG image

JPEG image


Archive powered by MHonArc 2.6.19.

Top of Page