[
https://issues.apache.org/jira/browse/KYLIN-4240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16980958#comment-16980958
]
ASF GitHub Bot commented on KYLIN-4240:
---------------------------------------
xiacongling commented on pull request #958: KYLIN-4240 Kylin SSO with CAS or
SAML without LDAP
URL: https://github.com/apache/kylin/pull/958
KYLIN-4240 use kylin SSO without LDAP. see:
https://issues.apache.org/jira/browse/KYLIN-4240
## add additional profile
first we change `kylin.sh` to support multiple profiles
(`spring.profiles.active` can accept a list of profiles)
```
additional_security_profiles=`bash ${dir}/get-properties.sh
kylin.security.additional-profiles`
if [[ "x${additional_security_profiles}" != "x" ]]; then
spring_profile="${spring_profile},${additional_security_profiles}"
fi
```
## UI update
In front-end, a button is added to redirect to the CAS/SAML server.
User can now login with either username/password or SSO, and their groups
can be managed in the `System` tab.
## use CAS as an authentication option
Here we add `server/resources/kylin-security-cas-plugin.xml` to configure
Spring Security for CAS,
defining the following beans under `authn-cas` profile, and filters only
`/cas/**`:
```
<beans profile="authn-cas">
...
<!-- Spring Security Settings -->
<spring-security:http pattern="/cas/**">
...
</spring-security:http>
<!-- CAS Beans that will be used -->
...
</beans>
```
We use `custom` security profile and a additional `authn-cas` profile to
enable it.
```
kylin.security.profile=custom
kylin.security.additional-profiles=authn-cas
```
Edit the following configurations to make it work properly.
```
# kylin server url should be set for CAS callback, values should be set
properly
kylin.server.url=http://localhost:7070/kylin
# change the cas server
kylin.security.cas.server.prefix=https://cas.example.com/
kylin.security.cas.server.login-url=https://cas.example.com/login
kylin.security.cas.server.logout-url=https://cas.example.com/logout
# optional properties, default values are listed below
#kylin.security.cas.default-groups=ALL_USERS
#kylin.security.cas.service-param=service
#kylin.security.cas.artifact-param=ticket
```
Now, when server started, the "CAS Login" button will be shown in login page.
## use SAML (without LDAP) as an authentication option
Similar to CAS, SAML without LDAP is configured under `custom` profile. The
security settings in
`server/resources/kylin-security-saml-noldap-plugin.xml` are almost the same
as those in
`server/resources/kylinSecurity.xml` with profile `saml`, except that it
filters only `/saml/**` for authentication and LDAP settings are removed.
When we set the profiles as follows
```
kylin.security.profile=custom
kylin.security.additional-profiles=authn-saml
```
The "SAML Login" button will be shown in login page. If SAML settings are
properly configured in
`kylin.properties`, it can redirect users to SAML IdP and check their
authenticity.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> use kylin SSO without LDAP
> --------------------------
>
> Key: KYLIN-4240
> URL: https://issues.apache.org/jira/browse/KYLIN-4240
> Project: Kylin
> Issue Type: Improvement
> Reporter: Congling Xia
> Priority: Major
> Attachments: screenshot.png
>
>
> Recently, we are integrating Kylin with our SSO service based on CAS. In our
> case, SSO provide only authentication but no authorization. Because our LDAP
> service is not used for application specific information management, we plan
> to use the built-in user/group services to manage their authorities (as in
> testing profile).
> I am doing some work with CAS authentication to make it work along with form
> login in Kylin. I dont know whether it is a common case that user need to be
> authenticated by an SSO and will be managed for roles/groups in Kylin itself
> when LDAP is not available. I'd like to share it for someone in need.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
