Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Warning
titleUnofficial functionality

This functionality requires modification of midPoint build, or even modification of midPoint source code. Therefore it is not officially supported - unless the support is explicitly negotiated in subscription.
The real solution to this problem would be Flexible Authentication. MidPoint platform subscription could be used to fund improvements in midPoint authentication mechanisms.


Table of Contents

Info

Thanks to Jason Everling for contributing this HOWTO

...

Tomcat installed and configured working already with midPoint

Apache Configuration

 


Code Block
sudo apt-get install libapache2-mod-jk libapache2-mod-auth-cas

 


Configure mod-jk

Create a workers.properties file in /etc/apache2

Code Block
sudo vi /etc/apache2/workers.properties
Add the following


 

No Format
worker.list=worker1
worker.worker1.port=8009
worker.worker1.host=localhost
worker.worker1.type=ajp13

Configure apache2 sites


 

Code Block
sudo vi /etc/apache2/sites-available/default-ssl.conf

 


Add the following below the first default DocumentRoot /var/www/html


 

No Format
<Location ~ "/midpoint*">  AuthType CAS
  AuthName "CAS"
  require valid-user
  CasAuthNHeader Cas-User
 </Location>

JkMount /midpoint* worker1 

 Configure auth-cas


 

Code Block
sudo vi /etc/apache2/mods-available/auth_cas.conf

 


Add the following


 

No Format
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://SERVERURL/cas/login
CASValidateURL https://SERVERURL/cas/serviceValidate
CASDebug Off
CASValidateServer On
CASVersion 2
CASSSOEnabled On
#Below
 is needed, auth-cas will use the server hostname in the service URL 
redirect so we will override that, do not add a trailing / or add 
/midpoint!
CASRootProxiedAs https://MIDPOINTSERVERURL

 


Restart Apache2

 


Code Block
sudo service apache2 restart

 


Tomcat Configuration

Confgure tomcat to use the AJP connector


 

Code Block
sudo vi /var/lib/tomcat7/conf/server.xml

 


Uncomment the following so that it reads


 

No Format
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /

Midpoint Configuration

Edit ctx-web-security.xml


 

Code Block
sudo vi /var/lib/tomcat7/webapps/midpoint/ctx-web-security.xml

 


Uncomment the following so that reads


 

No Format
<!-- For SSO integration use the following: -->        
<custom-filter position="PRE_AUTH_FILTER" ref="requestHeaderAuthenticationFilter" />

 


Edit the following value "principalRequestHeader" in the bean "requestHeaderAuthenticationFilter" so that it reads


 

No Format
    <!-- Following bean is used with pre-authentication based on HTTP headers (e.g. for SSO integration) -->
    <beans:bean
 id="requestHeaderAuthenticationFilter" 
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
     <beans:property name="principalRequestHeader" value="Cas-User"/>
     <beans:property name="authenticationManager" ref="authenticationManager" />
 </beans:bean>
 
 <beans:bean id="logoutHandler" class="com.evolveum.midpoint.web.security.AuditedLogoutHandler">        <beans:property name="defaultTargetUrl" value="https://SERVERURL/cas/logout"/>
    </beans:bean>

 


Finally restart tomcat7


 

Code Block
sudo service tomcat7 restart

 


User can now login to midPoint using CAS

See Also