...
Code Block |
---|
<Connector ... scheme="https" secure="true" /> |
...
Grouper built-in authentication (v2.5+)
For a UI/WS that was installed using the Grouper Installer, Tomcat authentication using web.xml authentication security-constraint directives is not used anymore. Grouper has by default since v2.5. It has been replaced by a Grouper authentication module that stores usernames and encrypted passwords in the database. Initially the GrouperSystem subject is used since that is the only subject available when Grouper is installed. This should be replaced in the UI and could be replaced in the WS. It is not See this page for further explanation. It is not enabled by default, except for a quickstart container. It is enabled by setting container parameters GROUPER_UI_GROUPER_AUTH and GROUPER_WS_GROUPER_AUTH, or by grouper.hibernate.properties parameters grouper.is.ui.basicAuthn and grouper.is.ws.basicAuthn. It is not recommended to use tomcat-users.xml anymore, but you could use another type of tomcat or apache authentication. See also this page.it can be added back manually if desired. Besides built-in authentication, external authentication services like Shibboleth and CAS are excellent options.
Authentication using Shibboleth Single Sign-on (SSO)
...
Configure Shibboleth so that it will protect any content that lives under the main Grouper install directory. To do this, enable mod_shib (your location and version may vary), and require Shibboleth for the /grouper/* URI;
Code Block LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_22.so <Location /grouper> Authtype shibboleth ShibRequireSession On require shibboleth ShibUseHeaders On</Location>
Then add an AJP proxy to the Apache configuration to forward requests for /grouper to the Tomcat install
Code Block LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ProxyPass /grouper ajp://localhost:8009/grouper ProxyPassReverse /grouper ajp://localhost:8009/grouper
Add an AJP connector to Tomcat. The Tomcat conf/server.xml configuration may already have an AJP connector set up. If so, make sure the property
tomcatAuthentication=
"false"
is included.Code Block <Connector port= "8009" protocol= "AJP/1.3" tomcatAuthentication= "false" redirectPort= "8443" />
(< 2.5) Remove authentication from the servlet application. From the grouper WEB-INF/web.xml file, remove all security-constraint, login-config, and security-role sections:
Code Block <security-constraint> <web-resource-collection> <web-resource-name>UI</web-resource-name> <url-pattern>/grouperUi/app/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>grouper_user</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>UI</web-resource-name> <url-pattern>/grouperUi/appHtml/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>grouper_user</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>UI</web-resource-name> <url-pattern>/grouperExternal/app/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>grouper_user</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Grouper Application</realm-name> </login-config> <security-role> <description> The role that is required to log in to the Grouper UI </description> <role-name>grouper_user</role-name> </security-role>
...
Info |
---|
Thanks to California Polytechnic State University for providing information on Authentication to Grouper using CAS. |
- Method 1: Tomcat Container Authenticationmod_auth_cas
- Method 2: Tomcat <Realm> authentication
- Method 23: Client Configuration Using configuration using web.xml (<v2.5.0)
- Previous way to integrate CAS with Grouper (< Grouper v2<v2.4.0)
- The yale-cas-auth java jar file is included with the installation of the Grouper UI. There are a few steps we needed to implement it:
- Configuration Steps to enable CAS Authentication
- Deployment Steps
- Troubleshoot
- The yale-cas-auth java jar file is included with the installation of the Grouper UI. There are a few steps we needed to implement it:
There are two different ways of enabling CAS authentication to protect Grouper resources. These have been tested with Grouper 2.4.0 primarily as a proof of concept, although there is some reports of success from similar configurations based on these.
CAS Authentication Method 1: Tomcat Container Authentication
See also: https://github.com/apereo/java-cas-client
The context definition in server.xml for Tomcat looks like this:
...
<Context docBase=
"/ucd/opt/grouper-ui/dist/grouper"
path=
"/grouper"
reloadable=
"false"
mapperContextRootRedirectEnabled=
"true"
mapperDirectoryRedirectEnabled=
"true"
>
<Realm className=
"org.jasig.cas.client.tomcat.v85.PropertiesCasRealm"
propertiesFilePath=
"/etc/tomcat/grouper-users.properties"
/>
<!--
If you
do
not need to map users to roles via a grouper-users.properties file use
this
.
<Realm className=
"org.jasig.cas.client.tomcat.v85.AssertionCasRealm"
/>
-->
<Valve className=
"org.jasig.cas.client.tomcat.v85.Cas20CasAuthenticator"
encoding=
"UTF-8"
casServerLoginUrl=
"https://CAS_SERVER/cas/login"
casServerUrlPrefix=
"https://CAS_SERVER/cas/"
serverName=
"GROUPER_SERVER"
/>
<!-- Single sign-out support -->
<Valve className=
"org.jasig.cas.client.tomcat.v85.SingleSignOutValve"
artifactParameterName=
"SAMLart"
/>
</Context>
The following jar files will need to go into the Tomcat lib directory (with current versions as of May 2019):
- org.jasig.cas.client : cas-client-core (v3.5.1) [Download]
- org.jasig.cas.client : cas-client-integration-tomcat-common (v3.5.1) [Download]
- org.jasig.cas.client : cas-client-integration-tomcat-v85 (v3.5.1) [Download]
- org.slf4j : slf4j-api (v1.7.26) [Download]
In Grouper's WEB-INF/web.xml, comment out the login-config and security-role sections. The security-constraint sections should remain so that authentication is triggered. The role-name can be changed to "*" (or "**" if that doesn't work) to allow all validated users to log in.
For other versions of Tomcat, change v85 to v8, v7, or v6 as appropriate.
CAS Authentication Method 2: Client Configuration Using web.xml
This method makes changes solely within the Grouper web application, without affecting the Tomcat configuration.
1. Download the cas-client-core jar file (current version is cas-client-core-3.5.1.jar as of May 2019)
2. Copy the web applications top-level index.jsp to a new subdirectory cas/
3. Edit cas/index.jsp to reference parent directory instead of the current one
<%@ include file="../WEB-INF/grouperUi2/assetsJsp/commonTaglib.jsp"%>
String location="../grouperUi/app/UiV2Main.index?operation=UiV2Main.indexMain";
4. Add to WEB-INF/classes/Owasp.CsrfGuard.overlay.properties
org.owasp.csrfguard.unprotected.CASLogin=%servletContext%/cas/*
5. Add to WEB-INF/web.xml, changing parameters as needed. Based on https://apereo.atlassian.net/wiki/spaces/CASC/pages/103252594/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml
...
<
filter
>
<
filter-name
>CAS Authentication Filter</
filter-name
>
<
filter-class
>org.jasig.cas.client.authentication.AuthenticationFilter</
filter-class
>
<
init-param
>
<
param-name
>casServerUrlPrefix</
param-name
>
<
param-value
>http://localhost:8080/cas</
param-value
>
</
init-param
>
<
init-param
>
<
param-name
>serverName</
param-name
>
<
param-value
>http://localhost:8080</
param-value
>
</
init-param
>
</
filter
>
<
filter-mapping
>
<
filter-name
>CAS Authentication Filter</
filter-name
>
<
url-pattern
>/cas/*</
url-pattern
>
</
filter-mapping
>
<
filter
>
<
filter-name
>CAS Validation Filter</
filter-name
>
<
filter-class
>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</
filter-class
>
<
init-param
>
<
param-name
>casServerUrlPrefix</
param-name
>
<
param-value
>http://localhost:8080/cas</
param-value
>
</
init-param
>
<
init-param
>
<
param-name
>serverName</
param-name
>
<
param-value
>http://localhost:8080</
param-value
>
</
init-param
>
</
filter
>
<
filter-mapping
>
<
filter-name
>CAS Validation Filter</
filter-name
>
<
url-pattern
>/cas/*</
url-pattern
>
</
filter-mapping
>
<
filter
>
<
filter-name
>CAS HttpServletRequest Wrapper Filter</
filter-name
>
<
filter-class
>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</
filter-class
>
</
filter
>
<
filter-mapping
>
<
filter-name
>CAS HttpServletRequest Wrapper Filter</
filter-name
>
<
url-pattern
>/cas/*</
url-pattern
>
</
filter-mapping
>
6. Start Tomcat, check catalina and localhost logs if any startup errors
7. Go to URI /grouper/cas/index.jsp to trigger the start of a CAS session.
Previous way to integrate CAS with Grouper (prior to Grouper 2.4.0)
The yale-cas-auth java jar file is included with the installation of the Grouper UI. There are a few steps we needed to implement it:
Configuration Steps to enable CAS Authentication
Add the cas authentication piece to the build.xml file in the Grouper UI home/build folder: /deploy/AppServers/grouper-ui folder:
/deploy/AppServers/grouper-ui/build.xml
...
<ant antfile=
"build.xml"
target=
"webapp"
dir=
"${contrib.dir}/yale-cas-auth"
inheritrefs=
"true"
/>
It should go just below the following section in the build.xml file:
...
<!-- Call any site specific build script. This may be used to introduce site specific Struts action,
local Subject implementations etc -->
<antcall target=
"-additional-build"
>
<param name=
"target"
value=
"webapp"
/>
<reference refid=
"ui.class.path.for.run"
/>
</antcall>
CAS Authentication to Grouper (v2.5+) TAP Container Using mod_auth_cas
Due to changes in packaging and instrumenting of the web application (i.e., web.xml is not the primary configuration method any more), previously working configuration methods require more work, or are no longer functional. Integration with CAS can still be accomplished by the use of mod_auth_cas within the Apache httpd process and some selective configuration file updates.
This will assume that you have disabled other environment variable enabled methods of authentication and that you are building your own local docker image for deployment as per Install the Grouper v2.5 container with maturity level 1 manually.
- Create a directory for your docker overlay and create the directory
slashRoot
inside it. Create a
Dockerfile
with at least the following contents.ARG GROUPER_VERSION=2.5.XX
FROM i2incommon/grouper:${GROUPER_VERSION}
# Need to install CAS so it can be used at the Apache server level
RUN yum -y install mod_auth_cas
# this will overlay all the files from /opt/grouperContainer/slashRoot on to /
COPY slashRoot /
RUN chown -R tomcat:tomcat /opt/grouper \
&& chown -R tomcat:tomcat /opt/tomee
- Add the files below under
slashRoot
:/etc/httpd/conf.d/auth_cas.conf.cas
Code Block language xml title auth_cas.conf.cas collapse true CASCookiePath /var/cache/httpd/mod_auth_cas/ CASLoginURL https://__CAS_HOST_NAME__/cas/login CASValidateURL https://__CAS_HOST_NAME__/cas/serviceValidate CASRootProxiedAs https://__GROUPER_UI_HOST_NAME__ #CASDebug On CASVersion 2 <Location /grouper> Authtype CAS require valid-user </Location>
- /usr/local/bin/grouperScriptHooks.sh
This hook script only installs the CAS filter in the apache layer when running the UI. It copies the file above over the default installed by yum, and then replaces the placeholder text with environment variables.
Code Block language bash title grouperScriptHooks.sh collapse true #!/bin/sh # called at the beginning of the container startup # after logging is setup # grouperScriptHooks_prepConfPost() { # return # } # called after the component command has been prepped # grouperScriptHooks_prepComponentPost() { # return # } # called after the finishPrep is called before the setupFiles # grouperScriptHooks_finishPrepPost() { # return # } # called after the setupFiles functions is called, almost before the process starts grouperScriptHooks_setupFilesPost() { echo "RUNNING CUSTOM grouperScriptHooks_setupFilesPost: GROUPER_UI=$GROUPER_UI" if [ "$GROUPER_UI" = "true" ]; then # Install needed CAS configuration cp -v /etc/httpd/conf.d/auth_cas.conf.cas /etc/httpd/conf.d/auth_cas.conf # Populate with this instance's hostnames sed -i "s|__CAS_HOST_NAME__|$CUSTOM_CAS_HOST_NAME|g" /etc/httpd/conf.d/auth_cas.conf sed -i "s|__GROUPER_UI_HOST_NAME__|$GROUPER_APACHE_SERVER_NAME|g" /etc/httpd/conf.d/auth_cas.conf echo "Enabled CAS Authentication Using CAS_HOST_NAME=$CUSTOM_CAS_HOST_NAME" fi return } # called after the chown at end of setupFiles, right before the process starts # grouperScriptHooks_setupFilesPostChown() { # return # } # export everything export -f grouperScriptHooks_setupFilesPost
Either in your dockerfile with ENV commands or upon startup of your container, set the following environment variables:
GROUPER_APACHE_SERVER_NAME
: host name (no scheme or path) of the server. Will be used in the Apache ServerName directive and to build the service URL used for redirects back from CAS.CUSTOM_CAS_HOST_NAME
: host name (no scheme or path) of the CAS server.
- You will also likely want to set
GROUPERUI_LOGOUT_REDIRECTTOURL
tohttp://${CUSTOM_CAS_HOST_NAME}/cas/logout
Build and tag your docker image and then run as per the install instruction page linked above. As with the other authentication methods, you should be able to see that the user ID from CAS has been proxied through by turning on logging by adding the below to your log4j.properties file.
log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG
CAS Authentication Method 2: Tomcat <Realm> Authentication
See also: https://github.com/apereo/java-cas-client
Tomcat authentication using realms works both before and after v2.5.0, although some of the file locations differ in containers.
The context definition in server.xml for Tomcat (in the container, this is /opt/tomee/conf/Catalina/localhost/grouper.xml) looks like this:
|
The following jar files will need to go into the Tomcat lib directory (with current versions as of September 2020). The container equivalent folder is /opt/tomee/lib. For other versions of Tomcat (TomEE in the container is compatible with Tomcat 8.5), change v85 to v8, v7, or v6 as appropriate.
- org.jasig.cas.client : cas-client-core (v3.6.1) [Download]
- org.jasig.cas.client : cas-client-integration-tomcat-common (v3.6.1) [Download]
- org.jasig.cas.client : cas-client-integration-tomcat-v85 (v3.6.1) [Download]
- org.slf4j : slf4j-api (v1.7.26) [Download] (in versions <2.5.0 only)
(< v2.5.0) In Grouper's WEB-INF/web.xml, comment out the login-config and security-role sections. The security-constraint sections should remain so that authentication is triggered. The role-name can be changed to "*" (or "**" if that doesn't work) to allow all validated users to log in.
(v2.5.0+ container) In Grouper's WEB-INF/web.xml, add:
No Format |
---|
<security-constraint>
<display-name>Web Login Service</display-name>
<web-resource-collection>
<web-resource-name>user authentication</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>**</role-name>
</auth-constraint>
<!-- uncomment in production? Or with SSL?
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
-->
</security-constraint> |
To sum up, the files that would go into a slashRoot directory of a Maturity 0 container are:
- ./opt/grouper/grouperWebapp/WEB-INF/web.xml
- ./opt/tomee/lib/cas-client-core-3.6.1.jar
- ./opt/tomee/lib/cas-client-integration-tomcat-v85-3.6.1.jar
- ./opt/tomee/lib/cas-client-integration-tomcat-common-3.6.1.jar
- ./opt/tomee/conf/Catalina/localhost/grouper.xml
In addition to these files, if there are issues with Tomcat communicating with CAS (i.e., for back-channel ticket validation), the server certificate will need to be added to ./usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts.
CAS Authentication Method 3: Client Configuration Using web.xml and custom jsp bootstrap (< v2.5.0)
This method makes changes solely within the Grouper web application, without affecting the Tomcat configuration. It is no longer functional since v2.5.0, because Grouper's internal authorization filters always take precedence and interfere.
1. Download the cas-client-core jar file (current version is cas-client-core-3.6.1.jar as of September 2020)
2. Copy the web applications top-level index.jsp to a new subdirectory cas/
3. Edit cas/index.jsp to reference parent directory instead of the current one
<%@ include file="../WEB-INF/grouperUi2/assetsJsp/commonTaglib.jsp"%>
String location="../grouperUi/app/UiV2Main.index?operation=UiV2Main.indexMain";
4. Add to WEB-INF/classes/Owasp.CsrfGuard.overlay.properties
org.owasp.csrfguard.unprotected.CASLogin=%servletContext%/cas/*
5. Add to WEB-INF/web.xml, changing parameters as needed. Based on https://apereo.atlassian.net/wiki/spaces/CASC/pages/103252594/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml
|
6. Start Tomcat, check catalina and localhost logs if any startup errors
7. Go to URI /grouper/cas/index.jsp to trigger the start of a CAS session.
Previous way to integrate CAS with Grouper (prior to Grouper 2.4.0)
The yale-cas-auth java jar file is included with the installation of the Grouper UI. There are a few steps we needed to implement it:
Configuration Steps to enable CAS Authentication
Add the cas authentication piece to the build.xml file in the Grouper UI home/build folder: /deploy/AppServers/grouper-ui folder:
/deploy/AppServers/grouper-ui/build.xml<ant antfile=
"build.xml"
target=
"webapp"
dir=
"${contrib.dir}/yale-cas-auth"
inheritrefs=
"true"
/>
It should go just below the following section in the build.xml file:
<!-- Call any site specific build script. This may be used to introduce site specific Struts action,
local Subject implementations etc -->
<antcall target=
"-additional-build"
>
<param name=
"target"
value=
"webapp"
/>
<reference refid=
"ui.class.path.for.run"
/>
</antcall>
Implementer note: There are several -additional-build sections. Ensure you find the one that has a target with a value of "webapp".
Modify the following 3 lines in the build.properties file that is in the yale-cas-auth folder -- enter proper URLs for your organization:
/deploy/AppServers/grouper-ui/contrib/yale-cas-auth/build.properties#Grouper CAS Integration
for
CalPoly
sso.login.url=https:
//mydev.YourCampus.edu/cas/login
sso.validate.url=https:
//mydev.YourCampus.edu:443/cas/serviceValidate
grouper.server.name=s-grouper.its.YourCampus.edu
Modify the struts-config.xml file to skip the login prompt by changing the callLogin path to home.do instead of login.do:
/deploy/AppServers/grouper-ui/webapp/WEB-INF/struts-config.xml<forward name=
"callLogin"
path=
"/home.do"
redirect=
"true"
/>
Ensure the REMOTE_USER value that is returned from CAS is configured as one of the subject identifiers in the sources.xml:
/deploy/AppServers/grouper/conf/sources.xml<init-param>
<!-- col which identifies the row, perhaps not subjectId -->
<param-name>subjectIdentifierCol0</param-name>
<param-value>SUBJECT_NAME</param-value>
</init-param>
This is based on using the GrouperJdbcSourceAdapter2 source adapter type
- Ensure the grouper URL has been added to the CAS Services Registry.
Deployment Steps
From the /deploy/AppServers/grouper-ui directory, create a new war file:
ant war
Remove the grouper directory in the $TOMCAT_HOME/webapps folder:
cd /deploy/AppServers/tomcat/webapps
rm -rf grouper
Copy the new war file to the webapps directory (overwrite existing grouper.war file):
cp /deploy/AppServers/grouper-ui/dist/grouper.war .
- Stop and restart Tomcat.
Troubleshoot
See debug information in logs in log4j.properties
Implementer note: There are several -additional-build sections. Ensure you find the one that has a target with a value of "webapp".
Modify the following 3 lines in the build.properties file that is in the yale-cas-auth folder -- enter proper URLs for your organization:
/deploy/AppServers/grouper-ui/contrib/yale-cas-auth/build.properties
...
#Grouper CAS Integration
for
CalPoly
sso.login.url=https:
//mydev.YourCampus.edu/cas/login
sso.validate.url=https:
//mydev.YourCampus.edu:443/cas/serviceValidate
grouper.server.name=s-grouper.its.YourCampus.edu
Modify the struts-config.xml file to skip the login prompt by changing the callLogin path to home.do instead of login.do:
/deploy/AppServers/grouper-ui/webapp/WEB-INF/struts-config.xml
...
<forward name=
"callLogin"
path=
"/home.do"
redirect=
"true"
/>
Ensure the REMOTE_USER value that is returned from CAS is configured as one of the subject identifiers in the sources.xml:
/deploy/AppServers/grouper/conf/sources.xml
...
<init-param>
<!-- col which identifies the row, perhaps not subjectId -->
<param-name>subjectIdentifierCol0</param-name>
<param-value>SUBJECT_NAME</param-value>
</init-param>
This is based on using the GrouperJdbcSourceAdapter2 source adapter type
...
Deployment Steps
From the /deploy/AppServers/grouper-ui directory, create a new war file:
...
ant war
Remove the grouper directory in the $TOMCAT_HOME/webapps folder:
...
cd /deploy/AppServers/tomcat/webapps
rm -rf grouper
Copy the new war file to the webapps directory (overwrite existing grouper.war file):
...
cp /deploy/AppServers/grouper-ui/dist/grouper.war .
...
Troubleshoot
See debug information in logs in log4j.properties
...
log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG
CAS Authentication to Grouper (v2.5+) TAP Container
Due to changes in packaging and instrumenting of the web application (i.e., web.xml is not the primary configuration method any more), the above methods do not work as documented. Integration with CAS can still be accomplished by the use of mod_auth_cas within the Apache httpd process and some selective configuration file updates.
This will assume that you have disabled other environment variable enabled methods of authentication and that you are building your own local docker image for deployment as per Install the Grouper v2.5 container with maturity level 1 manually.
...
Create a Dockerfile
with at least the following contents.
...
ARG GROUPER_VERSION=2.5.XX
FROM i2incommon/grouper:${GROUPER_VERSION}
# Need to install CAS so it can be used at the Apache server level
RUN yum -y install mod_auth_cas
# this will overlay all the files from /opt/grouperContainer/slashRoot on to /
COPY slashRoot /
RUN chown -R tomcat:tomcat /opt/grouper \
&& chown -R tomcat:tomcat /opt/tomee
...
/etc/httpd/conf.d/auth_cas.conf.cas
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
CASCookiePath /var/cache/httpd/mod_auth_cas/
CASLoginURL https://__CAS_HOST_NAME__/cas/login
CASValidateURL https://__CAS_HOST_NAME__/cas/serviceValidate
CASRootProxiedAs https://__GROUPER_UI_HOST_NAME__
#CASDebug On
CASVersion 2
<Location /grouper>
Authtype CAS
require valid-user
</Location> |
...
This hook script only installs the CAS filter in the apache layer when running the UI. It copies the file above over the default installed by yum, and then replaces the placeholder text with environment variables.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/sh
# called at the beginning of the container startup
# after logging is setup
# grouperScriptHooks_prepConfPost() {
# return
# }
# called after the component command has been prepped
# grouperScriptHooks_prepComponentPost() {
# return
# }
# called after the finishPrep is called before the setupFiles
# grouperScriptHooks_finishPrepPost() {
# return
# }
# called after the setupFiles functions is called, almost before the process starts
grouperScriptHooks_setupFilesPost() {
echo "RUNNING CUSTOM grouperScriptHooks_setupFilesPost: GROUPER_UI=$GROUPER_UI"
if [ "$GROUPER_UI" = "true" ]; then
# Install needed CAS configuration
cp -v /etc/httpd/conf.d/auth_cas.conf.cas /etc/httpd/conf.d/auth_cas.conf
# Populate with this instance's hostnames
sed -i "s|__CAS_HOST_NAME__|$CUSTOM_CAS_HOST_NAME|g" /etc/httpd/conf.d/auth_cas.conf
sed -i "s|__GROUPER_UI_HOST_NAME__|$GROUPER_APACHE_SERVER_NAME|g" /etc/httpd/conf.d/auth_cas.conf
echo "Enabled CAS Authentication Using CAS_HOST_NAME=$CUSTOM_CAS_HOST_NAME"
fi
return
}
# called after the chown at end of setupFiles, right before the process starts
# grouperScriptHooks_setupFilesPostChown() {
# return
# }
# export everything
export -f grouperScriptHooks_setupFilesPost |
...
Either in your dockerfile with ENV commands or upon startup of your container, set the following environment variables:
GROUPER_APACHE_SERVER_NAME
: host name (no scheme or path) of the server. Will be used in the Apache ServerName directive and to build the service URL used for redirects back from CAS.CUSTOM_CAS_HOST_NAME
: host name (no scheme or path) of the CAS server.
...
|
See Also
Authentication to UI and Web Services in Grouper v2.5+
...