Magnolia 4.5 reached end of life on June 30, 2016. This branch is no longer supported, see End-of-life policy.

Page tree
Skip to end of metadata
Go to start of metadata

CAS module 1.0 requires LDAP Connector module 1.4 which can authenticate against multiple LDAP or Active Directory servers. The newer CAS Connector module 1.1 requires LDAP Connector module 1.6 and authenticates against only one LDAP or Active Directory server at a time.

Central Authentication Service (CAS) is a single sign-on protocol for the web. CAS enables applications to authenticate users without needing to access users' security credentials (login and password details). Note that all references to CAS in Magnolia are for the CAS Module that enables the CAS service. The CAS module requires, and only works in conjunction with, the LDAP Connector module 1.4.

Download

Download the CAS module from Magnolia Store or Nexus repository.

Installing

CAS Connector is an enterprise module available in the add-ons folder of the Enterprise Edition bundle. To install the module, see the general module installation instructions .
You can configure the location of your cas.properties file as necessary. To do this, add a new property jndi.ldap.config in the magnolia.properties and then set the value to a relative path to the webapp.

Unlike most modules, installing the CAS module doesn't trigger upgrade or installation tasks. The CAS modules will quietly make the necessary classes available for your configuration, but you won't see it listed in the modules section of your configuration, nor will it trigger the "Upgrade Needed" notification.

Uninstalling

See the general module uninstalling instructions and advice .

Available CAS Modules

CASAuthenticationModule : this module can be used to authenticate against any LDAP directory. Use this together with MagnoliaGroupResolver and MagnoliaRoleResolver (users replicated in the JCR repository) or with specific NameResolver implementations to resolve groups and roles for your LDAP users.

How CAS works

The Central Authentication Service is a single sign-on (SSO) web protocol. With single sign-on a user can log in once to a system and then automatically gain access to all related systems (for which they have been granted access rights as per their credentials) without being prompted and/or required to log in to each system individually. Note that you can download the JASIF CAS server from the Central Authentication Service project website.

CAS Process Summary

  1. The CAS server serves the CAS login web page and authenticates users.
  2. The CAS server issues a tGT ticket that ensures that the user does not have to log in for each redirect to the CAS server.
  3. The CAS server redirects back to the CAS application server with a ticket=ST-xxx service ticket in the url for Magnolia CAS client to check.
  4. Finally, the CAS server validates the CAS service ticket for the application servers.

Configuration

Note that at present the CAS module requires - and only works in conjunction with - the Magnolia LDAP Connector Module 1.4. The LDAP Connector is a standard JAAS login module, which connects to any LDAP V3 supported directory service. This module is useful when deploying Magnolia in large intranet environments where an enterprise-grade user management infrastructure already exists. The JAAS standard support enables you to meet single sign-on requirements.

ldap.properties

The following properties have to be configured in ldap.properties (or ad.properties) for the CAS module to function:

Property

Description

java.naming.provider.url

A fully qualified URL to your LDAP server.

java.naming.security.authentication

Password encryption type: none, simple or DIGEST-MD5

java.naming.security.principal=

IMPORTANT - This value must be left blank.

java.naming.security.principal.cas=uid=admin,ou=system

This is the account used to query the user roles.

java.naming.security.credentials=secret*

This is the password for the account used to query the user roles.

initialSearchAttributes

This string is used to build an initial search against the server, for example CN=Users,dc=example,dc=com.

groupResolverClass

The class responsible for resolvin groups assigned to a user. The class must implement the info.magnolia.jaas.sp.ldap.resolver.NameResolver interface.
Implementations:

  • info.magnolia.jaas.sp.ldap.resolver.MagnoliaGroupResolver
  • info.magnolia.jaas.sp.ldap.resolver.ADGroupResolver
  • info.magnolia.jaas.sp.ldap.resolver.OpenLDAPGroupResolver

roleResolverClass

The class responsible for resolving roles assigned to a user. The class must implement the info.magnolia.jaas.sp.ldap.resolver.NameResolver interface.
Implementations:

  • info.magnolia.jaas.sp.ldap.resolver.MagnoliaRoleResolver

adminUserDN

Distinguished name of an admin user who has permissions to search the tree defined in initialSearchAttributes.

adminUserPassword

Password of the admin user.

Name mapping (multiple properties)

Mapping between Magnolia-defined attributes and how these attributes are named in your specific LDAP installation.

Other properties are defined and documented in ldap.properties and ad.properties files.

jaas.config

(warning) If you run JBoss application server edit login-config.xml instead.

JAAS is a standard authentication and authorization API provided by Java 1.4 and higher. An external file is used to configure JAAS. Using JAAS with CAS allows modification of the authentication process without having to rebuild and redeploy CAS.

In the jaas.config file, split info.magnolia.jaas.sp.jcr.JCRAuthenticationModule and info.magnolia.jaas.sp.ldap.ADAuthenticationModule into different JAAS chains: 

jaas.config
magnolia {
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule required;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};
 
magnolia-cas {
  info.magnolia.jaas.sp.ldap.ADAuthenticationModule required realm=external;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

In Magnolia configuration, set the jaasChain property to magnolia-cas: