Versions Compared

Old Version 37

changes.mady.by.user Chad Redman (unc.edu)

Saved on

compared with

New Version 38

changes.mady.by.user Chad Redman (unc.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Method 1: mod_auth_cas
  • Method 2: Tomcat <Realm> authentication
  • Method 3: Client configuration using web.xml (<v2.5.0)
  • Previous way to integrate CAS with Grouper (<v2.4.0)
    • The yale-cas-auth java jar file is included with the installation of the Grouper UI.  There are a few steps we needed to implement it:
        • Configuration Steps to enable CAS Authentication
        • Deployment Steps
      • Troubleshoot


CAS Authentication to Grouper (v2.5+) TAP Container Using mod_auth_cas

Due to changes in packaging and instrumenting of the web application (i.e., web.xml is not the primary configuration method any more), previously working configuration methods require more work, or are no longer functional. Integration with CAS can still be accomplished by the use of mod_auth_cas within the Apache httpd process and some selective configuration file updates.

...

  1. Create a directory for your docker overlay and create the directory slashRoot inside it.

  2. Create a Dockerfile with at least the following contents.

    ARG GROUPER_VERSION=2.5.XX

    FROM i2incommon/grouper:${GROUPER_VERSION}

    # Need to install CAS so it can be used at the Apache server level
    RUN yum -y install mod_auth_cas

    # this will overlay all the files from /opt/grouperContainer/slashRoot on to /
    COPY slashRoot /

    RUN chown -R tomcat:tomcat /opt/grouper \
    && chown -R tomcat:tomcat /opt/tomee


  3. Add the files below under slashRoot:

    1. /etc/httpd/conf.d/auth_cas.conf.cas

      Code Block
      languagexml
      titleauth_cas.conf.cas
      collapsetrue
      CASCookiePath /var/cache/httpd/mod_auth_cas/
CASLoginURL https://__CAS_HOST_NAME__/cas/login
CASValidateURL https://__CAS_HOST_NAME__/cas/serviceValidate
CASRootProxiedAs https://__GROUPER_UI_HOST_NAME__

#CASDebug On
CASVersion 2

<Location /grouper>
  Authtype CAS
  require valid-user
</Location>


    2. /usr/local/bin/grouperScriptHooks.sh

      1. This hook script only installs the CAS filter in the apache layer when running the UI.  It copies the file above over the default installed by yum, and then replaces the placeholder text with environment variables.


    3. Code Block
      languagebash
      titlegrouperScriptHooks.sh
      collapsetrue
      #!/bin/sh

# called at the beginning of the container startup
# after logging is setup
# grouperScriptHooks_prepConfPost() {
#	return
# }

# called after the component command has been prepped
# grouperScriptHooks_prepComponentPost() {
# 	return
# }

# called after the finishPrep is called before the setupFiles
# grouperScriptHooks_finishPrepPost() {
# 	return
# }

# called after the setupFiles functions is called, almost before the process starts
grouperScriptHooks_setupFilesPost() {
  echo "RUNNING CUSTOM grouperScriptHooks_setupFilesPost: GROUPER_UI=$GROUPER_UI"
  if [ "$GROUPER_UI" = "true" ]; then
    # Install needed CAS configuration
    cp -v /etc/httpd/conf.d/auth_cas.conf.cas /etc/httpd/conf.d/auth_cas.conf
    # Populate with this instance's hostnames
    sed -i "s|__CAS_HOST_NAME__|$CUSTOM_CAS_HOST_NAME|g"               /etc/httpd/conf.d/auth_cas.conf
    sed -i "s|__GROUPER_UI_HOST_NAME__|$GROUPER_APACHE_SERVER_NAME|g"  /etc/httpd/conf.d/auth_cas.conf
    echo "Enabled CAS Authentication Using CAS_HOST_NAME=$CUSTOM_CAS_HOST_NAME"
  fi

	return
}

# called after the chown at end of setupFiles, right before the process starts
# grouperScriptHooks_setupFilesPostChown() {
# 	return
# }

# export everything
export -f grouperScriptHooks_setupFilesPost


  4. Either in your dockerfile with ENV commands or upon startup of your container, set the following environment variables:

    1. GROUPER_APACHE_SERVER_NAME : host name (no scheme or path) of the server.  Will be used in the Apache ServerName directive and to build the service URL used for redirects back from CAS.
    2. CUSTOM_CAS_HOST_NAME : host name (no scheme or path) of the CAS server.
  5. You will also likely want to set GROUPERUI_LOGOUT_REDIRECTTOURL to http://${CUSTOM_CAS_HOST_NAME}/cas/logout

  6. Build and tag your docker image and then run as per the install instruction page linked above.  As with the other authentication methods, you should be able to see that the user ID from CAS has been proxied through by turning on logging by adding the below to your log4j.properties file.

    log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG



CAS Authentication Method 2: Tomcat <Realm> Authentication

...