Online Help

SafeNet Trusted Access for Apereo CAS

Overview

The application template provides the ability to enable single sign-on for users accessing the Apereo CAS application through SafeNet Trusted Access.

The following use cases can be configured for Apereo CAS:

SP-initiated SSO

Just-in-Time provisioning

Configuring SafeNet Trusted Access for Apereo CAS is a three-step process:

1.Apereo CAS setup

2.SafeNet Trusted Access setup

3.Verify authentication

Apereo CAS Setup

As pre-requisites:

CAS server (v6.1.0) and CAS client should be fully installed and configured.

JDK (v11) and Apache Tomcat (v9) should be fully installed and configured.

Download the Identity Provider metadata from the SafeNet Trusted Access console by clicking the Download metadata file button. You will need this metadata in one of the steps below.

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in Apereo CAS:

1.In a text editor, open the build.gradle file that is located at the <CAS HOME>/build.gradle path, where <CAS HOME> is the location where configuration files of Apereo CAS are present.

For example, c:\cas-overlay-template-master\build.gradle

2.Locate the dependencies tag and then add the following line in the tag:

compile "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"

3.Save and close the build.gradle file.

4.Open the <CAS SHARED>/etc/cas/config folder, where <CAS SHARED> is the root location that contains folders that are shared between CAS clients (for example, CAS Client for Java) and CAS server. For example, C:/etc/cas/config. Perform the following steps:

a.Copy the identity provider metadata file that you have downloaded earlier from the SafeNet Trusted Access console and paste the file at the location, <CAS SHARED>/etc/cas/config.

b.Rename the metadata file as per your preferred configuration (for example, safenet_metadata.xml).

c.In a text editor, open the cas.properties file that is located at the path mentioned in step 4a.

d.In the cas.properties file, add the lines given in the following table:

Line

Example

cas.authn.pac4j.saml[0].clientName=<IDP Name>

Where, <IDP Name> is the name of the IdP that will be displayed on the login page.

cas.authn.pac4j.saml[0].clientName=SafeNet IDP

 

cas.authn.pac4j.saml[0].serviceProviderEntityId=<CAS Server Name>

Where, <CAS Server Name> is the top-level URL (protocol, domain name, and port) of the web/application server running the CAS server.

cas.authn.pac4j.saml[0].serviceProviderEntityId= https://cas.safenet.org:8443

 

cas.authn.pac4j.saml[0].keystorePath=<SAML Keystore File>

Where, <SAML Keystore File> is the path and the name for the CAS auto-generated key (in the .jks format) for SAML. The key will be auto-generated at this path.

cas.authn.pac4j.saml[0].keystorePath= C:/etc/cas/config/samlKeystore.jks

 

cas.authn.pac4j.saml[0].keystorePassword=<Keystore Password>

Where, <Keystore Password> is the password to be created for the keystore file.

cas.authn.pac4j.saml[0].keystorePassword=Password1!

 

cas.authn.pac4j.saml[0].privateKeyPassword=<Private Key Password>

Where, <Private Key Password> is the password to be created for the private key.

cas.authn.pac4j.saml[0].privateKeyPassword=Temp123#

 

cas.authn.pac4j.saml[0].serviceProviderMetadataPath=<CAS Metadata Path>

Where, <CAS Metadata Path> is the path and the name for the CAS metadata file. The metadata will be auto-generated at this path.

cas.authn.pac4j.saml[0].serviceProviderMetadataPath= C:/etc/cas/config/cas_metadata.xml

 

cas.authn.pac4j.saml[0].identityProviderMetadataPath=<IDP Metadata Path>

Where, <IDP Metadata Path> is the path and name of the IdP metadata that you pasted earlier in <CAS SHARED>/etc/cas/config folder, where <CAS SHARED> is the root location that contains folders that are shared between CAS clients (for example, CAS Client for Java) and CAS server.

cas.authn.pac4j.saml[0].identityProviderMetadataPath= C:/etc/cas/config/safenet_metadata.xml

 

cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

 

N.A

 

e.Save and close the cas.properties file.

5.Open the <CAS SHARED>/etc/cas/services folder, where <CAS SHARED> is the root location that contains folders that are shared between CAS clients (for example, CAS Client for Java) and CAS server.

For example, C:/etc/cas/services.

Perform the following steps:

a.In a text editor, open the HTTPSandIMAPS-<Service ID>.json file, where <SERVICE ID> is the ID of the service registered on the CAS server.

b.Before the last closing curly brackets “}”, add the following lines:

"accessStrategy" : {

"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",

"delegatedAuthenticationPolicy" : {

"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",

"allowedProviders" : [ "java.util.ArrayList", [ "<IDP Name>" ] ]

}

}

Where, <IDP Name> is the name of the IDP that will be displayed on the login page (for example, SafeNet IDP).

c.Save and close the HTTPSandIMAPS-<Service ID>.json file, where <SERVICE ID> is the ID of the service registered on the CAS server.

6.Perform the following steps to restart the tomcat server:

a.Open the <TOMCAT HOME>\bin folder, where <TOMCAT HOME> is the location where tomcat server is installed.

For example, C:\tomcat\bin

b.Locate and click the shutdown.bat file.

c.Locate and click the startup.bat file.

7.For generating SAML Keystore, CAS metadata, and SAML signing certificate files, perform the following steps:

a.In a web browser, open the CAS Server login page, using the <CAS Server Name>/cas/login URL, where <CAS Server Name> is the top-level URL (protocol, domain name, and port) of the web/application server running the CAS server.

For example, https://cas.safenet.org:8443/cas/login

b.Under External Identity Providers, click <IDP Name>, where <IDP Name> is the name of the IDP that will be displayed on the login page (for example, SafeNet IDP).

c.Close the web browser.

8.Open the File Explorer, go to the <CAS SHARED>/etc/cas/config folder, where <CAS SHARED> is the root location that contains folders that are shared between CAS clients (for example, CAS Client for Java) and CAS server.

For example, C:/etc/cas/config.

9.Ensure that the SAML Keystore file (for example, samlKeystore.jks), CAS metadata file (for example, cas_metadata.xml) and SAML Signing certificates (for example, saml-signing-cert-SafeNetIDP) are created. You will need the CAS metadata file while configuring SafeNet Trusted Access.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in Apereo CAS, the second step is to activate the Apereo CAS application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, the Apereo CAS application you added earlier is in the inactive state by default. To configure and activate this application, click the application (for example, Apereo CAS) and proceed to the next step.

2.Under STA Setup, click Upload Apereo CAS Metadata.

3.On the Metadata upload window, click Browse to search and select Apereo CAS metadata that you generated earlier in step 7 of Apereo CAS Setup.

Under Account Details, service provider metadata information is displayed.

4.Under User Portal Settings, in the SERVICE LOGIN URL field, enter <CAS Server Name>/cas, where <CAS Server Name> is the top-level URL (protocol, domain name, and port) of the web/application server running the CAS server.

For example, https://cas.safenet.org:8443/cas

5.Click Save Configuration to save the details and activate the Apereo CAS application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the CAS client login URL (for example, https://cas.safenet.org:8443/mywebapp/). Click <IDP Name>, where <IDP Name> is the name of the IDP that will be displayed on the login page (for example, SafeNet IDP).

You will be redirected to your SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the CAS client dashboard after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click the Apereo CAS application icon. You will be redirected to the CAS Server login page. Click <IDP Name>, where <IDP Name> is the name of the IDP that will be displayed on the login page (for example, SafeNet IDP). You should be successfully logged in to the CAS server dashboard after authentication.

 

© 2019 SafeNet Trusted Access. Various trademarks are held by their respective owners.