Using midPoint with CAS

Do you use CAS and need just-in-time provisioning? Use midPoint! It can be maybe simpler than you can imagine.

Few days ago I got requirement if it is possible to provision identities from CAS after user logs in. For sure, you can make provisioning for each service provider using CAS by itself. But what if you need to provision to more than one system at the same time and not only to system which the user tries to log in? I decided to make this using midPoint. I implemented a simple configurable plugin which can be used with CAS. This plugin separates responsibilities and lets everyone do what it can do the best – CAS is used for authentication and midPoint for provisioning.

Prerequisites

  • Installed midPoint.
  • Configured some resource simulating CAS – I decided to use the simplest CSV resource for this purpose (don’t forget to create whereYourAccountsWillBeStored.csv file with the header containing all attributes you expect from CAS).
  • midPoint configuration – roles, object templates and everything you need to properly provision your identities.

Step 1. Maven dependency

Add the cas-integration maven dependency to your CAS project (pom.xml file).

1
2
3
4
5
6
7
8
9
10
11
<dependency>
   <groupId>com.evolveum.midpoint</groupId>
   <artifactId>cas-integration</artifactId>
   <version>0.0.9</version>
</dependency>

<repository>
   <id>evolveum-nexus</id>
   <name>Internal Releases</name>
   <url>http://nexus.evolveum.com/nexus/content/repositories/thirdparty/</url>
</repository>

 

Step 2. Modify CAS spring application-context.xml

Configure CAS to use this midPoint integration plugin. You need to configure properties for midPoint authentication etc. In application-context.xml add these lines

1
2
3
4
5
6
7
<bean id="configuration" class="com.evolveum.midpoint.integration.cas.MidPointConfiguration"></p>
    <property name="username" value="administrator"/>
    <property name="password" value="password"/>
    <property name="identifier" value="identifierAttributeName"/>
    <property name="resourceOid" value="ef2bc95b-76e0-48e2-86d6-3d4f02d3fafe"/>
    <property name="endpoint" value="http://localhost:8080/midpoint/ws/model-3"/>
</bean>

 

where:

  • username and password are used to authenticate user in midPoint,
  • identifier is the name of the attribute which is unique and should be used for user’s account identification,
  • resourceOid points to reference to the resource simulated CAS,
  • endpoint is URL indicating where the midPoint WS is waiting for your requests.

In my scenario, I also had some attributes which I didn’t want to provision from CAS to midPoint (yes, you can use CAS configuration to set attributes which you want release, but this is a little bit different use case ;) ). You can list these attributes using following lines (also in application-context.xml):

1
2
3
4
5
<util:list id="excludeAttributes">
   <value>nameId</value>
   <value>assertion</value>
   <value>attributes</value>
</util:list>

 

Step 3. Modify cas-servlet.xml in CAS

1
2
3
4
5
<bean id="provisioningAction" class="com.evolveum.midpoint.integration.cas.ProvisioningAction">
   <constructor-arg index="0" ref="ticketRegistry"/>
   <constructor-arg index="1" ref="configuration"/>
   <constructor-arg index="2" ref="excludeAttributes"/>
</bean>

 

Step 4. Customize your login-webflow.xml in CAS

It’s entirely up to you when you want to perform provisioning. But be aware, the current version of midPoint integration plugin is relying on the existence of the Ticket Granting Ticket. I use following configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
<action-state id="clientAction">
   <evaluate expression="clientAction" />
   <transition on="success" to="provisioningAction" />
   <transition on="error" to="ticketGrantingTicketCheck" />
   <transition on="stop" to="stopWebflow" />
</action-state>

<action-state id="provisioningAction">
   <evaluate expression="provisioningAction" />
   <transition on="success" to="sendTicketGrantingTicket"/>
   <transition on="error" to="ticketGrantingTicketCheck"/>
   <transition on="notExist" to="handleAuthenticationFailure"/>
</action-state>

 

Step 5. Try it and let me know

Deploy your CAS server, midPoint and try it! If there are some problems with plugin, don’t hesitate to contact me. Or if you have some troubles with midPoint installation or configuration contact me or our team!

6 thoughts on “Using midPoint with CAS

  • I has configed it. but it seems not to work . I want to know ,how I judge the casServer has built the relation with midpoint successfully?

    • You should see the messages in the cas log file. You can also check midPoint’s log if the web service was correctly called.

  • Hi,

    I’m trying to integrate midPoint with CAS and the deployment always get stuck in one sentence:
    “Retrieving document at ‘jar:file:/root/tomee/webapps/cas/WEB-INF/lib/model-client-3.3.jar!/xml/ns/private/report/’.”
    I can’t guess what is going on with it. As you can see I had to change the model-client dependency because the version 3.2-SNAPSHOT is not anymore in the repository (I couldn’t find it) and with version 3.2 the same is happening.
    Could you help me on this?

    Deployment environment: tomee-jaxr-1.7.2

    Many many thanks!

  • Now at least I don’t have errors, but I’m not sure if the integration is correctly done. The explanation is so ambiguous… I couldn’t make it work integrated. MidPoint is never called

    • Hi Fulgencio,

      could you check your login-webflow configuration? If the midPoint is never called I suppose it can be related to login-webflow misconfiguration. Bellow is the configuration which is used by me:

      	<action-state id="provisioningAction">
               <evaluate expression="provisioningAction" />
               <transition on="success" to="sendTicketGrantingTicket" />
               <transition on="error" to="ticketGrantingTicketCheck" />
               <transition on="notExist" to="handleAuthenticationFailure" />
           </action-state>
      
      
      	<action-state id="realSubmit">
               <evaluate
      expression="authenticationViaFormAction.submit(flowRequestContext, 
      flowScope.credential, messageContext)"/>
               <transition on="warn" to="warn"/>
               <transition on="success" to="provisioningAction"/>
               <transition on="successWithWarnings" to="showMessages"/>
               <transition on="authenticationFailure" 
      to="handleAuthenticationFailure"/>
               <transition on="error" to="generateLoginTicket"/>
           </action-state>
               
       
               
      

Leave a Reply

Your email address will not be published.