At the University of Saskatchewan, we use CAS for authentication in many of our web-based applications. These applications use a central CAS, not the CAS bundled with Luminis. However, we want people to be able to get from the portal into any web-based CAS-protected application seamlessly.
We have this set up and running in production. Here are (hopefully all) the steps we followed to do so:
- Install the CAS package into Luminis following Sungard's instructions ("Yale CAS Installation and Configuration").
- Modify your central CAS so it trusts third party servers. See http://www.usask.ca/docs/cas/trusting.html
Configure CAS Support in Luminis 4
On the Luminis 4 resource tier set the following in configman:
configman -s remotesessioneventlistener.0.url https://resourcetier.your.edu/cas/sessionEventNotify
configman -s cas.fqn resourcetier.your.edu
configman -s com.pipeline.cas.ExternalSessionCache.sessionEventNotification remote-provider
For parallel deployment only:
configman -s fos.server.cookie.domain resourcetier.your.edu -c site -h
configman -s fos.server.secure.cookie.domain resourcetier.your.edu -c site -h
Note that we are changing the cookie domain for the web server that is running on the resource tier in parallel deployment. This assumes, however, that you are not using this web server to actually serve up content to the users (which it shouldn't be).
On the resource tier, in /opt/pipeline/webapps/luminis/cas, verify that login-cp.jsp and logout-cp.jsp say the virtual portal domain name, not resource tier host name.
Restart luminis on resource tier and web servers.
You can now test CAS as follows:
When you do that you should see a message: "You have been logged in successfully"
Configure Trust between CAS and Luminis
On the Luminis web servers, set a domain cookie when people login to luminis and remove it when they logout. We call ours portal.login.date, and this is used so that central CAS knows when to check Luminis CAS for a valid ticket or not.
On the central CAS server, setup the cas.your.edu virtual host in apache to trust Luminis 4, i.e:
To test the trust, login to the portal (but not central CAS) then go to an application that uses CAS.