Thanks Christopher and Paul for the quick responses.
I couldn't solve the error that I was getting with the RemoteUser login option
"Invalid content was found starting with element 'LoginHandler'. One of
'{"urn:mace:shibboleth:2.0:idp:profile-handler":LoginHandler}' is expected"
So, as Paul suggested, I installed Unicon's shib-cas-authn2 package (the CAS
plugin) and now our default gateway does come up but authentication fails with
error:
javax.security.auth.login.LoginException: No LoginModules configured for
ShibUserPassAuth
at javax.security.auth.login.LoginContext.init(LoginContext.java:287)
~[na:1.6.0_32]
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:432)
~[na:1.6.0_32]
Thanks again for any help or tips.
Niva
From: Christopher Myers [mailto:[email protected]]
Sent: Wednesday, March 18, 2015 1:59 PM
To: [email protected]
Subject: Re: [cas-user] Casifying Shib (idP)
I am not an expert in this, so I might not be able to be of much help. But
conveniently, I did just complete this process last week and it seems to work
fine. Here are the notes I took along the way, using CAS 4.0.1 and shib 2.4.4:
Configuring Tomcat:
https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepare
Download the IDP source zip file from:
http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/
Extract it to /opt/shibboleth-src/
Download the tomcat6-dta-ssl-1.0.0.jar file from
http://shibboleth.internet2.edu/downloads/maven2/edu/internet2/middleware/security/tomcat6/tomcat6-dta-ssl/1.0.0/tomcat6-dta-ssl-1.0.0.jar
into the /usr/share/tomcat6/lib folder
Edit /usr/share/tomcat6/conf/server.xml, add the following connector:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
scheme="https"
SSLEnabled="true"
clientAuth="true"
keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
keystorePass="changemeplease" />
Install the IDP: https://spaces.internet2.edu/display/SHIB2/IdPInstall
Run ./install.sh from where you extracted the IDP source from above.
--This will installed to /opt/shibboleth-idp by default
--Enter the fdn of the server
--Enter the password you want to use for the keystore (make sure it's the same
one as you used in the tomcat config file change above.)
--Restart tomcat after this is done, but before deploying the war file so that
the new connector will come online
--Move the idp.war file from /opt/shibboleth-idp/war/ into
/usr/share/tomcat6/webapps/
To verify that the IDP was installed correctly, browsing to this page:
http://servername.domain.edu/idp/profile/Status should say "ok"
Connect Shibboleth to CAS:
http://www.ja-sig.org/wiki/display/CASUM/Shibboleth-CAS+Integration
Download the latest cas-client-x.x.x.zip from
http://www.ja-sig.org/downloads/cas-clients/
Copy cas-client-x.x.x/modules/cas-client-core-x.x.x.jar to
/opt/shibboleth-src/lib/
Edit /opt/shibboleth-idp/conf/handler.xml, add:
<!-- Remote User handler for CAS support -->
<LoginHandler xsi:type="RemoteUser">
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod>
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthenticationMethod>
</LoginHandler
to the LoginHandler section.
Edit /opt/shibboleth-src/src/main/webapp/WEB-INF/web.xml, add the following to
the "context-param" section:
<!-- For CAS client support -->
<context-param>
<param-name>serverName</param-name>
<param-value>shib_server.domain.edu</param-value>
</context-param>
Add the following to the "filter" section:
<!-- CAS client filters -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas_server.domain.edu/cas/login</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas_server.domain.edu/cas/</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>
To re-deply Shibboleth after making these changes:
run /opt/shibboleth-src/install.sh
Hit <return> when prompted for the location for the IDP software install
location (answer is for /opt/shibboleth-idp)
Hit <return> when asked if you want to overwrite the Shibboleth config (answer
is for "no")
Move the idp.war file from /opt/shibboleth-idp/war/ to
/usr/share/tomcat6/webapps/
When you're testing with testshib.org, if you get random errors trying to
deploy the war after changing the relying-party.xml file while following the
instructions at https://www.testshib.org/testshib-two/configure.jsp - make sure
the file used in "something like testshib.xml" is owned by tomcat:tomcat
ALSO COMMENT: Make sure to copy relying-party.xml.prod back to
relying-party.xml when done testing!!
If you're pointing to a CAS with a self-signed cert, you can run this:
/usr/lib/jvm/java-1_6_0-ibm-1.6.0/jre/bin/keytool -import -aliasmyalias
-keystore /usr/java/latest/jre/lib/security/cacerts -file
/home/installers/my_root.cer
(where my_root.cer is a b64 version of the self-signed root CA cert)
if you get errors like:
SEVERE: Servlet.service() for servlet RemoteUserAuthHandler threw exception
Throwable occurred: java.lang.RuntimeException:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building
failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl
could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by
OU=Organizational CA, O=MY_ROOT is not trusted ...
If you get errors like:
Unable to establish security of incoming assertion.
Look at your /opt/shibboleth-idp/conf/relying-party.xml file and make sure your
AnonymousRelyingParty and DefaultRelyingParty providers match the actual
hostname, etc.
http://groups.google.com/group/shibboleth-users/browse_thread/thread/e3665fb0f9b23265?pli=1
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
