Mark,
I've gotten the following directions from Ryan, who has previously done
Google Apps integration. Please let me know which one works and I will
update the wiki to reflect it (or if you want to update it, feel free too
;-)).
Thanks
-Scott
---------- Forwarded message ----------
From: Ryan Shelley <[EMAIL PROTECTED]>
Date: Jun 29, 2007 11:40 AM
Subject: Re: CAS/Google Accounts/SAML integration
To: Scott Battaglia <[EMAIL PROTECTED]>
You create the keys using openssl. I haven't done it in awhile, and I know
they've been tweaking this part of their system, but you can try this:
openssl genrsa -out private.pem 1024
openssl rsa -in private.pem -out public.pem -pubout -outform PEM
openssl rsa -in public.pem -pubin -inform PEM -out public.der -pubout
-outform DER
if that doesn't work, try:
openssl genrsa
openssl genrsa -out mykey.pem 1024
openssl rsa -in mykey.pem -pubout
if that doesn't work, try this java code:
import java.io.*;
import java.security.*;
public class KeyGen {
public static void main(String[] args) {
try {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
SecureRandom random =
SecureRandom.getInstance("SHA1PRNG", "SUN");
keyGen.initialize(1024, random);
KeyPair pair = keyGen.generateKeyPair();
PrivateKey priv = pair.getPrivate();
PublicKey pub = pair.getPublic();
byte[] encPriv = priv.getEncoded();
FileOutputStream privfos =
new FileOutputStream("RSAPrivateKey.key");
privfos.write(encPriv);
privfos.close();
byte[] encPub = pub.getEncoded();
FileOutputStream pubfos =
new FileOutputStream("RSAPublicKey.key");
pubfos.write(encPub);
pubfos.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
Ryan Shelley
Lead Developer
ITR Web Development/Middleware
California State University, Northridge
818.677.4258
[EMAIL PROTECTED]
On Jun 29, 2007, at 8:17 AM, Scott Battaglia wrote:
Ryan,
You'll need the JPA jar and the xmlsig JAR I think.
Also, do you have instructions on how you created keys? Someone else is
trying it out and having trouble with the keys they've generated.
Thanks
-Scott
On 6/22/07, Ryan Shelley <[EMAIL PROTECTED]> wrote:
Hi Scott,
I'm loading the CAS sources and configurations into NetBeans and getting
some errors compiling (primarily around locating javax.persistence, and
javax.xml.crypto) and I just want to make sure I'm using the same JDK and
libraries you're building CAS with. Right now I have Java 1.5, Log4j,
OpenSaml, Spring, Spring LDAP, and Spring Webflow. Should I be including
something that I'm missing?
Ryan Shelley
Lead Developer
ITR Web Development/Middleware
California State University, Northridge
818.677.4258
[EMAIL PROTECTED]
On Jun 21, 2007, at 11:55 AM, Scott Battaglia wrote:
Ryan,
We're actually on RC2 now (with an RC3 to follow within a day or two).
Whenever you get a minute if you can try out the Google Accounts integration
that would be great.
The release is on our web site:
http://www.ja-sig.org/products/cas/
We haven't tried this in the wild yet as we don't run Google Accounts at
Rutgers. Therefore this may involve some back and forth between you and me
to resolve any configuration or XML issues that we haven't encountered with
merely using the unit tests.
Thanks!
-Scott
On 6/11/07, Ryan Shelley < [EMAIL PROTECTED]> wrote:
>
> Wow, I'm surprised how simple the integration with Google is with CAS.
> You must have done quite a bit to make it easy to configure. Let me know
> when RC1 is out and we'll try it out.
>
> Ryan Shelley
> Lead Developer
> ITR Web Development/Middleware
> California State University, Northridge
>
> 818.677.4258
> [EMAIL PROTECTED]
>
>
>
> On Jun 9, 2007, at 8:50 PM, Scott Battaglia wrote:
>
> Wow, that sucks! I've seen a bunch of universities go that route.
> Seems like you guys were doing some interesting stuff though and probably
> would have had some good ideas!
>
> I haven't released RC1 yet, but I have put up some documentation related
> to the integration. Its relatively straightforward:
>
>
>
http://www.ja-sig.org/wiki/display/CASUM/SAML+2.0+%28Google+Accounts+Integration%29
>
> Let me know what you think.
>
> Thanks!
> -Scott
>
> On 6/7/07, Ryan Shelley <[EMAIL PROTECTED]> wrote:
> >
> > I wish we were allowed. Our management structure changed drastically
> > at the beginning of this year and canceled all of our open source and custom
> > projects (uPortal, CAS, Google/Gmail, etc) in favor of commercial
> > solutions. It's been a disappointment, and also the reason why we can't
> > attend the conferences.
> >
> > Ryan Shelley
> > Lead Developer
> > ITR Web Development/Middleware
> > California State University, Northridge
> >
> > 818.677.4258
> > [EMAIL PROTECTED]
> >
> >
> >
> > On Jun 7, 2007, at 12:09 PM, Scott Battaglia wrote:
> >
> > Ryan,
> >
> > I'll probably release M4 tonight or tomorrow morning. RC1 should
> > follow shortly next week. I just want to give myself some time to finalize
> > the APIs and do some additional cleanup before we declare the API static.
> > M4 will otherwise be feature complete.
> >
> > Are any of you guys coming out to the JA-SIG conference? We're holding
> > a developer's/deployers lunch to get feedback, brainstorm, solicit help ;-)
> > for future versions of CAS.
> >
> > Thanks!
> > -Scott
> >
> > On 6/7/07, Ryan Shelley <[EMAIL PROTECTED]> wrote:
> > >
> > > Sure! I'm glad you were able to pull this together. Do you have an
> > > idea of when the RC of 3.1 will be?
> > >
> > > Ryan Shelley
> > > Lead Developer
> > > ITR Web Development/Middleware
> > > California State University, Northridge
> > >
> > > 818.677.4258
> > > [EMAIL PROTECTED]
> > >
> > >
> > >
> > > On Jun 7, 2007, at 5:43 AM, Scott Battaglia wrote:
> > >
> > > Ryan,
> > >
> > > Thanks for the information. Based on what you've told me and the
> > > links you've provided I believe I have added support for Google Accounts
in
> > > CAS 3.1 (it may require some minor tweaking...I haven't tested it
> > > yet ;-)).
> > >
> > > When we do an RC release of CAS 3.1, would you be able to assist us
> > > in testing this feature?
> > >
> > > Thanks
> > > -Scott
> > >
> > > On 5/14/07, Ryan Shelley < [EMAIL PROTECTED]> wrote:
> > > >
> > > > I don't have any real documentation other than what Google
> > > > provided us to integrate with their sign-on process:
> > > > http://code.google.com/apis/apps/sso/saml_reference_implementation.html
> > > >
> > > >
http://code.google.com/apis/apps/sso/saml_reference_implementation_web.html
> > > >
> > > >
> > > > The second URL has example code and sample SAML request/response
> > > > XML...
> > > >
> > > > The user requests a resource from Google, they check to see if
> > > > they are validated by Google's authentication system. If not, they are
> > > > redirected to an account-admin-specified URL with a SAML token (the
URL, in
> > > > our case, was a custom servlet). The user's URL then handles the
> > > > authentication/validation of the user (in our case, using a
ServiceTicket to
> > > > validate the account). If the user needs to authenticate, that is
handled
> > > > by us (sending them to CAS with redirect back to our servlet), if they
don't
> > > > need to authenticate (they have a CAS ticket already, or are
> > > > reauthenticated, and it's successfully validated against CAS) they are
> > > > forwarded back to Google with a signed SAML response that says the user
is
> > > > who they say they are. Then Google allows them in.
> > > >
> > > > So we wrote the servlet that sits between Google and CAS, decrypts
> > > > the SAML Request, checks the user's authentication status, sends them
to CAS
> > > > if necessary, encrypts a SAML response, and then sends them back to
Google.
> > > > A lot of this was provided by Google btw (the SAML decryption and
> > > > encryption, etc), we just wrapped it around a Servlet and included CAS
in
> > > > the process.
> > > >
> > > > I suppose an internal hook would be to natively accept the SAML
> > > > Request from Google and do a pass-through if the ticket is still valid,
or
> > > > pause in the flow to allow them to authenticate before continuing on.
> > > >
> > > > Alternatively, you could use what we have as a separate servlet to
> > > > authenticate SAML requests. I honestly don't know if Google's SAML
> > > > request/response format is standard or not, but I'm guess it has to be.
So
> > > > a separate servlet might be able to be developed to handle all SAML
> > > > requests/responses for more than one external application.
> > > >
> > > > Ryan Shelley
> > > > Lead Developer
> > > > ITR Web Development/Middleware
> > > > California State University, Northridge
> > > >
> > > > 818.677.4258
> > > > [EMAIL PROTECTED]
> > > >
> > > >
> > > >
> > > > On May 14, 2007, at 6:06 AM, Scott Battaglia wrote:
> > > >
> > > > Ryan,
> > > >
> > > > I'm glad to hear you guys are willing to contribute! Our ideal
> > > > target release date is in time for the JA-SIG conference (not sure if
you
> > > > guys are attending) at the end of June. We may need to adjust that and
> > > > merely have a release candidate out by then.
> > > >
> > > > I'm not sure exactly what is required to integrate with Google
> > > > Accounts so I can't comment yet on whether there is a better way to do
it or
> > > > not. The mere fact that you've done it at all is a good step forward
and
> > > > whether we eventually adapt the code to something else ( i.e.
> > > > native authentication handlers, etc.) is not as important as
refactoring is
> > > > easy in Eclipse ;-)
> > > >
> > > > If you have any documentation or anything that you can show me
> > > > that would help with determining how best to integrate. This way if
there
> > > > are any hooks we can place into CAS that would have made your
integration
> > > > easier, I can go and add them :-)
> > > >
> > > > As far as development standards go, we don't any written down
> > > > per-se. I'll generally format the code using our Eclipse project coding
> > > > standards. And we generally turn on all warnings in Eclipse (well
pretty
> > > > much all warnings) and then attempt to eliminate them. But those are
things
> > > > I can easily do. I will say that you should make sure whoever the
author of
> > > > the specific code is that their name appears in the @author tag so they
can
> > > > receive proper credit.
> > > >
> > > > Thanks!
> > > > -Scott
> > > >
> > > > On 5/11/07, Ryan Shelley < [EMAIL PROTECTED]> wrote:
> > > > >
> > > > > Sure, I'd be happy to contribute... what is the time-line for
> > > > > the 3.1 release? The current version that I have is a Servlet
> > > > > that simply validates against CAS via a ServiceTicket. Would that be
the
> > > > > best way going forward if it's integrated into CAS, or do you
recommend
> > > > > validating the CAS ticket more natively? Any specific development
standards
> > > > > to meet? Just let me know if there's anything specific we need to do
other
> > > > > than generalize the code and we'll put something together for you.
> > > > >
> > > > > Ryan Shelley
> > > > > Lead Developer
> > > > > ITR Web Development/Middleware
> > > > > California State University, Northridge
> > > > >
> > > > > 818.677.4258
> > > > > [EMAIL PROTECTED]
> > > > >
> > > > >
> > > > >
> > > > > On May 10, 2007, at 12:13 PM, Scott Battaglia wrote:
> > > > >
> > > > > Hi,
> > > > >
> > > > > I saw your post on the Google Accounts API board about
> > > > > integrating CAS with Google Accounts (
> > > > >
http://groups.google.com/group/google-apps-apis/browse_thread/thread/25e034482d57900e/9221135a3ca2ba36?lnk=gst&q=cas&rnum=1#9221135a3ca2ba36
> > > > > )
> > > > >
> > > > > Do you have any interest in contributing that code to the 3.1release
of CAS to allow CAS out of the box to integrate with Google
> > > > > Accounts?
> > > > >
> > > > > Thanks
> > > > > -Scott
> > > > >
> > > > > --
> > > > > -Scott Battaglia
> > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > -Scott Battaglia
> > > >
> > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > -Scott Battaglia
> > >
> > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > >
> > >
> > >
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> >
> >
> >
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
