Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

titleUnofficial functionality

This functionality requires modification of midPoint build, or even modification of midPoint source code. Therefore it is not officially supported - unless the support is explicitly negotiated in subscription.
The real solution to this problem would be Flexible Authentication. MidPoint platform subscription could be used to fund improvements in midPoint authentication mechanisms.

Table of Contents


Thanks to Jason Everling for contributing this HOWTO


Tomcat installed and configured working already with midPoint

Apache Configuration


Code Block
sudo apt-get install libapache2-mod-jk libapache2-mod-auth-cas


Configure mod-jk

Create a file in /etc/apache2

Code Block
sudo vi /etc/apache2/
Add the following


No Format

Configure apache2 sites


Code Block
sudo vi /etc/apache2/sites-available/default-ssl.conf


Add the following below the first default DocumentRoot /var/www/html


No Format
<Location ~ "/midpoint*">  AuthType CAS
  AuthName "CAS"
  require valid-user
  CasAuthNHeader Cas-User

JkMount /midpoint* worker1 

 Configure auth-cas


Code Block
sudo vi /etc/apache2/mods-available/auth_cas.conf


Add the following


No Format
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://SERVERURL/cas/login
CASValidateURL https://SERVERURL/cas/serviceValidate
CASDebug Off
CASValidateServer On
CASVersion 2
CASSSOEnabled On
 is needed, auth-cas will use the server hostname in the service URL 
redirect so we will override that, do not add a trailing / or add 


Restart Apache2


Code Block
sudo service apache2 restart


Tomcat Configuration

Confgure tomcat to use the AJP connector


Code Block
sudo vi /var/lib/tomcat7/conf/server.xml


Uncomment the following so that it reads


No Format
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /

Midpoint Configuration

Edit ctx-web-security.xml


Code Block
sudo vi /var/lib/tomcat7/webapps/midpoint/ctx-web-security.xml


Uncomment the following so that reads


No Format
<!-- For SSO integration use the following: -->        
<custom-filter position="PRE_AUTH_FILTER" ref="requestHeaderAuthenticationFilter" />


Edit the following value "principalRequestHeader" in the bean "requestHeaderAuthenticationFilter" so that it reads


No Format
    <!-- Following bean is used with pre-authentication based on HTTP headers (e.g. for SSO integration) -->
     <beans:property name="principalRequestHeader" value="Cas-User"/>
     <beans:property name="authenticationManager" ref="authenticationManager" />
 <beans:bean id="logoutHandler" class="">        <beans:property name="defaultTargetUrl" value="https://SERVERURL/cas/logout"/>


Finally restart tomcat7


Code Block
sudo service tomcat7 restart


User can now login to midPoint using CAS

See Also