1. CAS Implementation at
Oakland University
Lee Foltz, Senior Identity Systems Engineer, Oakland University
Brandon Powell, Java Developer Analyst, Oakland University
Rachel Glomski, Student Java Developer, Oakland University
3. Topics
Environment configuration
● The service manager
● Our build process
● How we use maven filters
● The awesomeness of maven overlays
● How to stay up to date with new versions of CAS
● Integration with Google Apps for Education
● Integration with Banner
● CAS web services
● Adding a custom theme to show institution's colors
4. Terms to Know
CAS - Central Authentication Service
Used for single sign on environments, protects user credentials
SSO - Single Sign On
Authenticate once for access to many applications
SAML - Security Assertion Markup Language
Used in exchanging authentication data between a user and a service
REST - Representational State Transfer
Architectural style applied to web applications
Maven - Apache Maven is a software project management and
comprehension tool. Based on the concept of a project object model (POM),
Maven can manage a project's build, reporting and documentation
5. Overview Of What CAS Can Do
● A single sign on authentication service
● Can be opened up to the outside world
● Hides the directory server(LDAP, AD) from outside
attackers
● Protects the users credentials; no passwords are sent
to the service
6. Environment Configuration
● CAS 3.5.2.1
● RHEL5 64bit
● Java 7
● Maven 3
● Tomcat 7
Physical Servers:
2 Quad Core Xeons, 8 cores hyper threaded
12GB of RAM
Load Balanced via BIG -IP F5
Primary/slave configuration
15 second probe before failover
8. CAS Service Manager
● The service manager allows CAS to be closed off
● Only services we allow are granted access to our
CAS server
● The file can be edited on the fly
● No need to restart CAS
● Made up of simple JSON (JavaScript Object Notation)
file so it is easy to read
12. Build Process - Maven Filters
● Allows injection of data into the web application
● Keeps sensitive data outside the source code
repository
● Only have to update information in one place
● Modify the filter data and restart Tomcat
● No need to recompile
13. Using Maven Filters
Couple of different ways to do it
● Set properties in the .m2 folder in settings.xml
● Use a filters file
● Many more
Oakland University uses the first way
15. Build Process - Maven Overlays
● Leave the base webapp alone-- edit files in your
overlay directory
● In the pom.xml of your overlay directory, add the base
webapp as a dependency:
<dependency>
<groupId>edu.oakland.example</groupId>
<artifactId>base-app</artifactId>
<version>1.0-SNAPSHOT</version>
<type>war</type>
</dependency>
16. Example - Maven Overlays
The base application is what
our overlay is built off of; we
don’t change the files in the
base. The base-app has
already been compiled.
The overlay is where we make
changes to the files. Only these
files are compiled when this
webapp is built. Files in the
overlay will overwrite any base-
app counterparts during
compilation.
➝
➝
17. Build Process - Staying Up To Date
Edit the pom.xml and bump the version number up for
cas-server-core:
19. The CAS Side Of Google
● We use custom code developed by Unicon to connect
to Google.
● The users NetID is passed to Google
● Need to have the Google private key added to the
exploded war file
For more information go here:
https://wiki.jasig.org/display/CASUM/SAML+2.0+(Google+Accounts+Integration)
*Note that CAS 4.0 works differently for Google
20. Integrating Banner
We use Banner Self Service version 8
There is great documentation on the Apereo Wiki
https://wiki.jasig.org/display/UPC/CASifying+Banner+Self+Serve
If you use Banner XE:
CAS is supported out of the box
21. CAS Web Services
From the Apereo wiki:
Applications need to programmatically access CAS. Generally, proxying
works for this. However, there are cases where an application needs to
access a resource as itself, in which case proxying doesn't make any
sense.
REST is where it’s at!
Bare minimum version to support the REST API in CAS
is 3.5.2
22. Uses For CAS Web Services
● Apps, apps, apps!
● Android and iOS applications can use CAS for
authentication
● More secure and better than web scraping
● Enables a SSO environment for mobile devices
23. Configuration
● Need to edit the web.xml
● Requires new dependencies
● Depending on the version of CAS used, some
dependencies need to be excluded.
https://wiki.jasig.org/display/casum/restful+api
25. Custom Themes
● Maven overlays to the rescue!
● In your CAS overlay go to this directory (or create it if it is not there):
● src/main/webapp/WEB-INF/view/jsp/default/ui
● Override any of these files:
● https://github.com/Jasig/cas/tree/master/cas-server-
webapp/src/main/webapp/WEB-INF/view/jsp/default/ui
● Add custom CSS to fit the style of your institution
We only overrode three files:
casLoginView.jsp
includes/
top.jsp
bottom.jsp