Skip to content
This repository has been archived by the owner on Nov 3, 2017. It is now read-only.

Configuring services initiating SSO sessions

Jump to bottom
wgthom edited this page Feb 18, 2013 · 5 revisions

Since version 1.2 there is a facility in cas-addons that allows a fine grained control of which registered services are allowed to initiate WebSSO sessions. That is, if the registered service is configured with such option, the standard CAS WebSSO machinery will work as expected, meaning that after a successful authentication leg, a proper TGT will be created and a corresponding CASTGC cookie will be sent to a client's user agent (browser). On the other hand, if a registered service is not configured to initiate a WebSSO session, then after a successful authentication a CASTGC cookie will not be sent to a client's browser and after a successful ST validation phase the original TGT for that service authentication request will be removed from the server. If there is an existing WebSSO session already established, then a non-initiating SSO service will still be able to participate in it.

Note: SLO must be turned off with this feature.

Configuration

  • Configure JSON services registry

  • Set initiateSSO extra attribute to true for services that will initiate WebSSO. All other services WILL NOT initiate WebSSO:

{
   "id":1,
   "serviceId":"https://www.google.com",
   "name":"GOOGLE",            
   "extraAttributes": {
       "initiateSSO":true
    }            
}
  • Define registeredServicesPolicies bean:
<bean id="registeredServicesPolicies" class="net.unicon.cas.addons.serviceregistry.services.internal.DefaultRegisteredServicesPolicies"/>
  • Re-define ticketGrantingTicketCookieGenerator bean in WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml:
<bean id="ticketGrantingTicketCookieGenerator" class="net.unicon.cas.addons.web.support.ServiceInitiatingWebSsoAwareCookieGenerator"
		p:cookieSecure="true"
		p:cookieMaxAge="-1"
		p:cookieName="CASTGC"
		p:cookiePath="/cas"
                p:servicesManager-ref="servicesManager"
                p:argumentExtractors-ref="argumentExtractors"
                p:registeredServicesPolicies-ref="registeredServicesPolicies"/>
  • Re-define serviceValidateController in WEB-INF/cas-servlet.xml:
<bean id="serviceValidateController" class="net.unicon.cas.addons.web.support.SsoDestroyingServiceValidateController"
         p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification"
         p:proxyHandler-ref="proxy20Handler"
         p:ticketRegistry-ref="ticketRegistry"
         p:cas-ref="centralAuthenticationService"
         p:servicesManager-ref="servicesManager"
         p:argExtractor-ref="casArgumentExtractor"
         p:registeredServicesPolicies-ref="registeredServicesPolicies"/>
Clone this wiki locally