Magnolia 5.4 reached end of life on November 15, 2018. This branch is no longer supported, see End-of-life policy.
CAS module 1.1 requires LDAP Connector module 1.6 which authenticates against one LDAP or Active Directory server at a time. If you have multiple servers and want users to be authenticated against all of them, use the earlier CAS module 1.0 and LDAP Connector 1.4.
Central Authentication Service (CAS) provides a single sign-on protocol for the Web. CAS enables applications to authenticate a user without needing to access the user's security credentials (login and password). The name CAS also refers to a software package that implements this protocol.
To use the Magnolia CAS module, you will need to download the appropriate software. The CAS authentication system was originally created by Yale University to provide a secure means for an application to authenticate a user, and as such, still forms part of the JASIG project.
<dependency> <groupId>info.magnolia</groupId> <artifactId>magnolia-module-cas</artifactId> <version>1.3.2</version> </dependency>
The CAS module runs in conjunction with JASIG CAS software. You can download the JASIG CAS server software from the Central Authentication Service project website .
The Central Authentication Service is a single sign-on (SSO) Web protocol that permits a user to log in once to a system and then automatically gain access to all related systems to which they have been granted permission as per their credentials. This avoids the need to log into each system individually.
The Magnolia CAS module handles authentication only. When a user logs into CAS, the system authenticates their identity to participating services because the user has been authenticated to CAS. The individual services determine if the user has appropriate access rights.
In a real world situation, a company can use a customized Jasig CAS application as a login interface. The interface shows the company logo and provides a login and password area. When a user logs into the interface they are taken to a page containing links to a selection of applications, including the author instance of Magnolia. (Note, there is no cross-connection of applications.) The user does not need to sign in a second time in order to use Magnolia CM, but clicks on the application link and is granted access.
Note that at present the CAS module 1.1 requires and only works in conjunction with the LDAP Connector Module 1.6. The LDAP Connector is a standard JAAS login module and connects to any LDAP V3 supported directory service. In addition, before using the CAS functionality with Magnolia, it is first necessary to have a Jasig CAS environment set up.
ssoSlave
in your ldap.properties
or ad.properties
file is set to true
.JAAS is a standard authentication and authorization API provided by Java 1.4 and higher. An external file is used to configure JAAS. Using JAAS with CAS allows modification of the authentication process without having to rebuild and redeploy CAS.
In the jaas.config
file, split info.magnolia.jaas.sp.jcr.JCRAuthenticationModule
and info.magnolia.jaas.sp.ldap.ADAuthenticationModule
into different JAAS chains:
magnolia { info.magnolia.jaas.sp.jcr.JCRAuthenticationModule required; info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required; }; magnolia-cas { info.magnolia.jaas.sp.ldap.ADAuthenticationModule required realm=external; info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required; };
In Magnolia configuration, set the jaasChain
property to magnolia-cas
:
Node name | Value |
---|---|
server |
|
filters |
|
login |
|
loginHandlers |
|
CAS |
|
class | info.magnolia.cms.security.auth.login.CASLogin |
jaasChain | magnolia-cas |
It is not possible to use the LDAPAuthenticationModule in jaas.config because the module requires a user password which CAS does not provide.
Go to Configuration >/modules/cas/config
.
casLoginURL
to point to the login form of your CAS server.casLogoutURL
to point to the logout page of your CAS server.casServiceURL
to match your current Magnolia instance.casValidateURL
to point to your CAS server.Node name | Value |
---|---|
modules | |
cas | |
config | |
casLoginURL | https://localhost:8443/cas/login/ |
casLogoutURL | https://localhost:8443/cas/logout |
casServiceURL | http://localhost:8080/ |
casTicketRequestParameter | ticket |
casValidateURL | https://localhost:8443/cas/ |
version | 1.1.0 |
Provided you have not changed this parameter in the CAS server implementation, it should not be necessary to adjust
casTicketRequestParameter
.
1.3+ You may add the parameter casServiceURL to the the value of the casLogoutURL, this causes the CAS server to provide a link back to the application after logging out.
Node name | Value |
---|---|
| https://localhost:8443/cas/logout?url=${casServiceURL} |
Go to Configuration >/server/filters/securityCallback/clientCallbacks
.
cas
node as the first node in the tree. Typically, the first node in the list in a default configuration is the form
node.Node name | Value |
---|---|
server | |
filters | |
context | |
.... | |
securityCallback | |
clientCallbacks | |
cas | |
class | info.magnolia.cms.security.auth.callback.CASClientCallback |
public | |
form | |
class | info.magnolia.cms.security.SecurityCallbackFilter |
crossSite | |
.... |
http://localhost:8080/magnoliaAuthor/.magnolia/admincentral?mgnlUserId=superuser&mgnlUserPSWD=superuser
.If you have problems using CAS with a self-signed certificate, try adding the following line to the relevant magnolia.properties: magnolia.cas.sslDebug=true
. IMPORTANT - Do not use this setting in a production environment.