Single Sign-On (SSO) based on CAS: CAS + LDAP for Single Sign-On authentication

[1]. Overview CAS is the central authentication portal for N systems, and user information throughout multiple systems is shared and should be maintained separately, this information may belong to unused systems, organizations, and countries, thus forming a tree structure. Maintaining tree structure information using relational databases is its weakness, this is the original intention of CAS and LDAP integration in this article.


This document describes how to integrate CAS and LDAP to implement Single-point logon.

[2]. Detailed steps

1. LDAP installation Configuration

For details, see:

Introduction to OpenLDAP installation and configuration on Windows

Install the configuration and add some test data as follows:




 

2. Basic CAS installation Configuration:

See demonstration of CAS single-point logon instance of SSO

 

3. Integrate LDAP configuration with CAS

For Mave build projects, add LDAP-related dependencies:

<Dependency> <groupid> Org. JASIG. CAS </groupid> <artifactid> cas-server-support-ldap </artifactid> <version >$ {CAS. version }</version> </dependency> <! -- Add the dependency <dependency> <groupid> commons-pool </groupid> <artifactid> commons-pool </artifactid> <version >$ {Apache. commons. pool. version} </version> </dependency> -->

Les) and spring-ldap-core-1.3.1.RELEASE.jar

 

There are two LDAP authentication configurations:

[First], fastbindldapauthenticationhandler

This authentication processor is generally used for DN directly composed of user names, such as: uid = % u, ou = Dev, Dc = micmiu.com, Dc = com, % u is the user name for CAS logon.

Modify the Web configuration file WEB-INF \ deployerconfigcontext. xml:

First, add the bean: contextsource configuration under the <beans> and node:

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">  <property name="pooled" value="false"/>  <property name="url" value="ldap://127.0.0.1:389" />  <property name="userDn" value="cn=Manager"/>  <property name="password" value="secret"/>  <property name="baseEnvironmentProperties"><map>  <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />  <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />  <entry key="java.naming.security.authentication" value="simple" /></map>  </property></bean>

 

Contextsource configuration instructions:

• If you have multiple LDAP servers, you can configure multiple
• When fastbindldapauthenticationhandler is configured, The userdn here can be configured as "cn = manager, ou = Dev, Dc = micmiu, Dc = com" or "cn = manager, ou = Dev, Cn = manager, or manager.
• If the LDAP server has SSL, note that the prefix of the URL configuration is LDAPS: "LDAPS: // 192.168.8.150: 636 ″

Under <bean id = "authenticationmanager"/>, find the simpletestusernamepasswordauthenticationhandler configuration and modify it as follows:

<bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"><property name="filter" value="uid=%u,ou=Developer,dc=micmiu,dc=com" /><property name="contextSource" ref="contextSource" /></bean>





After the configuration, start three applications: tomcat-cas, tomcat-app1, tomcat-app2, certification test:

• Enter Michael/111111 to log on successfully,
• If you enter miumiu/111111, the logon fails.

 

[2], bindldapauthenticationhandler

This authentication processor is generally used to verify other attributes of the User Name of the DN, such as email, rather than the uid in the first processor (of course, the UID attribute is also applicable, the following is a configuration example using mail ).

Modify the Web configuration file WEB-INF \ deployerconfigcontext. xml:

Add the bean: contextsource configuration under the <beans> and node:

<Bean id = "contextsource" class = "org. springframework. LDAP. core. support. ldapcontextsource "> <property name =" anonymousreadonly "value =" false "/> <property name =" password "value =" secret "/> <property name =" pooled "value = "True"/> <property name = "URLs"> <list> <value> LDAP: // 127.0.0.1: 389 </value> </List> </property> <property name = "userdn" value = "cn = manager, Dc = micmiu, dc = com "/> <property name =" baseenvironmentprope Rties "> <map> <! -- Ldap ssl access configuration <Entry key = "Java. naming. security. protocol "value =" SSL "/> --> <Entry key =" Java. naming. security. authentication "value =" simple "/> </map> </property> </bean>

 

Modify the configuration of the authentication bean in <bean id = "authenticationmanager"/> as follows:

<Bean class = "org. JASIG. CAS. adaptors. LDAP. bindldapauthenticationhandler "> <property name =" filter "value =" mail = % u "/> <property name =" searchbase "value =" DC = micmiu, dc = com "/> <property name =" contextsource "ref =" contextsource "/> <! -- Allow multiple accounts --> <property name = "allowmultipleaccounts" value = "true"/> </bean>

 

After the configuration, start three applications: tomcat-cas, tomcat-app1, tomcat-app2, certification test:

• Enter Michael/111111 to log on successfully,
• If you enter miumiu/111111, you can log on successfully.

 

If you change the value of parameter: searchbase to "ou = developer, Dc = micmiu, Dc = com", the result of restarting the test authentication is as follows:

• Enter Michael/111111 to log on successfully,
• If you enter miumiu/111111, the logon fails.

At this time, the authentication effect is the same as that of the first authentication.

For the configuration of the Connection Pool, see the official introduction: https://wiki.jasig.org/display/CASUM/LDAP

Summary CAS and LDAP are mainly used in System Integration scenarios. CAS provides uniform authentication portals for multiple systems, and you only need to log on to multiple systems at a time. LDAP is used to store information commonly used by multiple systems, such as user information and user permission information. This information is common and simple (dominated by strings) with less modification, because they belong to different organizations and systems, they form a tree structure and form a directory. In this way, you can perform efficient retrieval when matching the user name and password.
Download source code

Single Sign-On (SSO) based on CAS: CAS + LDAP for Single Sign-On authentication