Hi Lewis, As I mentioned/shown previously in my diagram, i tried successfully forwarding/delegating auth from cas-4.0.x server to an older cas-3.x server. I will look if I still have the whole project/repo in one of my backups, but in nutshell all I did was:
- add to the cas-4.0.x server's pom.xml cas-server-support-pac4j - add to your project the pac4j repos - add pac4j-cas - add the configuration for delegating auth to another cas server (it was cas-3.x in my case) to the cas-4.0.x's applicationContext.xml (the same way like in this example i do for oauth2.0: https://github.com/AtlasOfLivingAustralia/ala-cas-2.0/blob/master/src/main/webapp/WEB-INF/spring-configuration/applicationContext.xml#L44-L71 ) - and finally add a pac4j autheniticationHandler to deployerConfigContext.xml (https://github.com/AtlasOfLivingAustralia/ala-cas-2.0/blob/master/src/main/webapp/WEB-INF/deployerConfigContext.xml#L65 and https://github.com/AtlasOfLivingAustralia/ala-cas-2.0/blob/master/src/main/webapp/WEB-INF/deployerConfigContext.xml#L139) the whole source of my OAuth2.0 is free/open source, you can use that as an example, adjusting it to your needs (replacing the OAuth2.0 parts with cas), I will meanwhile try to look in my backups for the cas-delegating-auth-to-another-cas example. cheers, martin On Wednesday, October 26, 2016 at 10:46:06 PM UTC+11, Lewis Henderson wrote: > > > <https://lh3.googleusercontent.com/-QcH_7bOluxY/WBCUhJyxFtI/AAAAAAAACf8/HO8ogx7fGbQ8zVmN8G2iUln8gbyhypKNgCLcB/s1600/OAuth2.png> > Here is my attempt at a diagram! > > I am in control of everything inside the red box. > > What I have :- > > 1. User hits MyApp url and is redirected to CAS 5.0.0, which shows my > login screen. > 2. User logs in Ok. > 3. User redirected back to MyApp Ok. > > What I need to do :- > > 1. User hits MyApp url and is redirected to CAS 4.x to show 3rd Party > login screen. > 2. User logs in. > 3. User redirected back to MyApp. > > The reason for this setup is that I need to use the 3rd party CAS server > if there is one els use my own. > Everything inside the red box is secured by OAuth2. > > I have added the cas-server-support-pac4j-webflow dependency and > configured the cas.authn.pac4j.cas.loginUrl to point to the CAS 4.x > server's /login url and set the protocol to CAS30. > > I do not get redirected to the CAS 4.x server for login. Am I > misunderstanding something or should this work? > > > Cheers > > > On Monday, 24 October 2016 14:03:10 UTC+1, Lewis Henderson wrote: >> >> Martin, >> >> Yes, I think your diagram shows it well. >> >> What I would eventually like is to have the OAuth network protected by a >> CAS server. >> >> The CAS server can be configured to provide Authentication itself as is >> the default or, as in this case, delegate authentication to another CAS >> server, using it's UI etc. >> >> What configuration is required to do the delegation in this case? >> >> I have added the cas-server-support-pac4j-webflow dependency and set the >> cas.server.authn.pac4j.cas.loginUrl and protocol. What else, if anything is >> required? >> >> I currently get the redirect but on successful authentication, the >> redirect back to my CAS server fails. >> >> I am not in the office at the moment, but will post the issue when I >> return.... >> >> >> Cheers! >> >> On Monday, 24 October 2016 13:30:11 UTC+1, Martin Bohun wrote: >>> >>> Hi Lewis, >>> >>> This is just a confirmation question, are you trying to delegate/forward >>> auth request from one cas server to another cas server? >>> As shown in the following diagram (right-bottom corner): >>> >>> >>> <https://raw.githubusercontent.com/mbohun/mbohun_graph-experiments/master/jasig-cas-upgrade/ala-cas-upgrade-01.png> >>> >>> >>> >>> https://github.com/mbohun/mbohun_graph-experiments/blob/master/jasig-cas-upgrade/ala-cas-upgrade-01.png >>> >>> Well, if yes, then the answer is (too) *yes* I did test that setup and >>> it works fine. >>> >>> cheers, >>> >>> martin >>> >>> On Sunday, October 23, 2016 at 5:55:52 AM UTC+11, Lewis Henderson wrote: >>>> >>>> All, >>>> >>>> I have a requirement to 'chain' two CAS servers. >>>> >>>> My issue is that I am integrating with a third party that use a CAS >>>> server that I have no control over. >>>> >>>> I would like to use CAS as the security server into an OAuth2 >>>> micro-service network (CAS as OAuth2 Server) but redirect login to the 3rd >>>> Party CAS server. >>>> >>>> I have looked through the code and it seems as though if I manage to >>>> get it configured, it will show my login screen but with a link to the >>>> configured delegate server. >>>> >>>> Two questions :- >>>> >>>> >>>> 1. How do I configure this on my CAS server? >>>> 2. If there is only one provider, would it be possible to redirect >>>> there directly, showing their login screen without the need to show >>>> mine? >>>> The reason for this is that theirs is branded with their logos etc... >>>> >>>> >>>> Cheers >>>> >>>> >>>> -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4f220a9c-45d5-4711-8c73-c63fb042eafb%40apereo.org.
