Carl, That is pretty much how we have it set up. I have attached the config files. Are you using Cognos?
What we have is a apache server running mod_auth_cas and cognos.conf script alias. The Cognos gateway is on the web server as well. In Cognos.conf if we set ifenv to a specific user, it will log in as that user. Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 -----Original Message----- From: Waldbieser, Carl [mailto:[email protected]] Sent: Wednesday, December 03, 2014 9:24 AM To: [email protected] Subject: Re: [cas-user] Cas for Cognos Chris, So what is your service setup like? I.e. what CAS client are you using? For example, if you are using an Apache front end with mod_auth_cas and you application in a Java servlet container you connect to via AJP, the REMOTE_USER environment variable will be set with the user name in your servlet process. The type of CAS client you use really determines how you access the username when the ticket is validated. Thanks, Carl ----- Original Message ----- From: "Chris Cheltenham" <[email protected]> To: [email protected] Sent: Wednesday, December 3, 2014 9:17:36 AM Subject: RE: [cas-user] Cas for Cognos Carl, Thanks, I guess I misspoke saying passing the password variable. What we need to configure is passing the cookie user information to the remote user variable of Cognos. That’s where we are stuck. Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 -----Original Message----- From: Waldbieser, Carl [mailto:[email protected]] Sent: Tuesday, December 02, 2014 12:52 PM To: [email protected] Subject: Re: [cas-user] Cas for Cognos Chris, The typical scenario is for the user to authenticate with CAS. The credentials are only seen by CAS. CAS responds by issuing a TGC (cookie) that is usable by the CAS server domain (other domains do not see it). If CAS sees the user has a TGC, it issues a ST (service ticket) for the service and redirects the user's browser to the service provider with the ST as a querystring parameter. The CAS client at the service provider, reads the ST, then opens a back-channel HTTPS connection to CAS to validate the ST. There are historically a couple different validation protocols. The modern one is the CASv3 protocol. When CAS validates the ticket successfully, it will respond with the user name, and zero or more attributes (configurable at the CAS server). The attributes can typically be used by the service provider for access control (authorization). The other typical scenario is that the service provider handles access control internally, and bases it purely off the user name returned during ST validation. The user's password is *never* presented to the service provider. That is the whole point of CAS. Authentication is *centralized*. Thanks, Carl ----- Original Message ----- From: "Chris Cheltenham" <[email protected]> To: [email protected] Sent: Tuesday, December 2, 2014 11:49:45 AM Subject: RE: [cas-user] Cas for Cognos Carl, I don’t know what you mean. Once you log into CAS I need it to pass those attributes to Cognos. Otherwise you have to log in twice which defeats the purpose of SSO. What service provider are you talking about. Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 -----Original Message----- From: Waldbieser, Carl [mailto:[email protected]] Sent: Tuesday, December 02, 2014 10:49 AM To: [email protected] Subject: Re: [cas-user] Cas for Cognos Isn't the whole point of CAS so that the service provider *does not get the user credentials*? Thanks, Carl Waldbieser ITS System Programmer Lafayette College ----- Original Message ----- From: "Chris Cheltenham" <[email protected]> To: [email protected] Sent: Tuesday, December 2, 2014 10:20:49 AM Subject: [cas-user] Cas for Cognos Hello All, We are having a hell of a time trying to configure apache to pass the username / password variabkes from the CAS login properties to Cognos. We use a script alias to proxy to CAS form apache web server. Has anyone ever been able to do this successfully? It just a matter of configuring cognos.conf in /etc/httpd/conf.d But we have tried a 1000 different things without success. Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
mod_auth_cas.conf
Description: mod_auth_cas.conf
cognos.conf
Description: cognos.conf
