Hello, everyone,I've started attempting to write an authentication module for
Guacamole that integrates with the Apereo CAS SSO product. I know a person or
two has already attempted this, but I haven't seen anyone's code, so I'm
starting from scratch. I'm struggling a little with how this should integrate
with the existing Guacamole web client. In the current client, it seems like
the client displays the normal username/password box, and credentials are then
passed back to one or more backend authentication classes. In implementing a
CAS SSO module, instead of displaying the login box, the page needs to redirect
to the SSO login page, which either displays the credential prompt or returns
an already active SSO session.
In doing some research, it looks as if the preferred method of accomplishing
this with the CAS SSO Java client is via modifications to the web.xml file -
adding login filters to that. I'm not entirely sure if this is "compatible"
with how extensions are currently implemented in the Guacamole web client - if
there's any way to have an extension add to the web.xml file? I've managed to
get SSO to work (mostly) by manually adding these filters to the web.xml and
then writing a very basic authentication extension that grabs the username from
the HTTP session and returns an empty <String, GuacamoleConfiguration> map.
It's a work in progress :-).
So, my first question is, is there a different way i should be going about
having the existing Guacamole web client bypass the username/password dialog
and redirect to the SSO login page? If the web.xml file is the preferred way,
is there a way I should go about overriding the existing one via an extension?
Second, for the extension class for the backend portion of the authentication,
is there something more secure I should be doing with the SSO stuff than just
grabbing the current session username - trying to get and verify the ticket or
something like that? Or is this good enough given that the login page
redirects to SSO?
Thanks, and go easy on a newbie Guac/Java developer :-).
-Nick
