| Author |
Message |
![[Post New]](/Sysforums/templates/default/images/icon_minipost_new.gif) 22/12/2008 13:58:23
|
Joseph Zargari
VP Customer Relations
Joined: 26/03/2006
Messages: 515
Offline
|
Hello all,
Single sign on is a method to automatically authenticate users (without them having to input credentials), based on credentials they already provided to authenticate with another system. The standard SSO method that is used in Active Directory environments is Integrated Windows Authentication, which is based NTLM protocol. In this scenario, users are authenticating with the domain (to log onto the computer) and these credentials are passed onto SysAid.
There's another method that we added support for, which is Central Authentication Service (CAS) - http://www.ja-sig.org/products/cas/
If you have CAS already in use in your organization, and wish to test the CAS integration, please post a reply to this topic. We'll be glad to have a working environment to check this on before publishing instructions.
|
|
|
17/11/2009 08:22:30
|
evili
SysAider
Joined: 23/09/2009
Messages: 4
Offline
|
Hi,
We are using SysAid with LDAP integration and we would like to try CAS integration. Our CAS is working already without problems.
Could you help us?
TIA,
Evili del Rio
|
|
|
17/11/2009 09:10:12
|
Joseph Zargari
VP Customer Relations
Joined: 26/03/2006
Messages: 515
Offline
|
evili,
It has been a while since a customer actually tested the below instructions and confirmed it to be working (not to mention the SysAid releases that came out since these instructions were verified).
If you are having any difficulty, please submit a service request with our helpdesk and refer to this forum topic.
1. Download the cas.jar and cas.properties files from http://www.ilient.com/down/cas.zip
2. Place the cas.jar in ...\SysAidServer\root\WEB-INF\lib
3. Place the cas.properties in ...\SysAidServer\root\WEB-INF\classes (create the folder if it doesn't exists).
4. Edit the cas.properties and set the correct values for CASURL (the URL of the CAS server) and ServerURL (the SysAid server URL).
5. Edit the ...\SysAidServer\root\WEB-INF\conf\serverConf.xml and change the line from <externalLoginClass>none</externalLoginClass> to <externalLoginClass>com.ilient.util.CASLogin</externalLoginClass>
6. Restart the SysAid Server service.
Now your CAS server can produe SSO URL in the following syntax:
http://CASURL/login?service=SysAidURL%2FLogin.jsp%3FExternalLogin%3DYES%26userName%3DUSERNAME%26accountID%3DACCOUNTID
Make sure to replace CASURL and SysAidURL with the actual links (e.g. http://casserver:8088/cas , http://SysAid:8080/Login.jsp?ExternalLogin=YES)
After the user will follow the URL and login, the CAS server will redirect the user to SysAid. Sysaid will then validate the login using a ticket key.
Let us know how it went,
Joseph.
This message was edited 3 times. Last update was at 16/07/2012 18:16:16
|
|
|
24/11/2009 05:27:22
|
evili
SysAider
Joined: 23/09/2009
Messages: 4
Offline
|
Hi,
The link you privdede does not work anymore. Can you supply an alternative, please?
TIA.
Evili
|
|
|
24/11/2009 10:21:31
|
Joseph Zargari
VP Customer Relations
Joined: 26/03/2006
Messages: 515
Offline
|
evili,
It actually had an extra dot at the end of it. I edited it and it now works.
Joseph.
|
|
|
25/11/2009 12:54:45
|
evili
SysAider
Joined: 23/09/2009
Messages: 4
Offline
|
Hi Joseph,
Now it works as you describe, thanks. I can login via CAS using the supplied URL:
http://casserver:8088/cas/login?service=http%3A%2F%2Fsysaid%3A8080%2FLogin.jsp%3FExternalLogin%3DYES%26userName%3Denduser%26accountID%3Dtest
(with the appropiate names/ports/etc.).
But what we would like that the Login page of SysAid itself validating directly through our CAS server. That is, when a user points to the login screen:
http://sysaid:8080/Login.jsp
it should get redirected automatically to the CAS login screen, and --once autenticated-- back to SysAid.
This is how it works in other applications we have here (for exemple, the CMS); and as far as I know this is the way CAS is supposed to work. In fact, I can login first to SysAid (via manual CAS) and then login in the CMS without seeing again the CAS login screen (that's what Single-Sign-On is designed for: autenticate once, access many).
Is there any way to configure this in SysAid?
Cheers,
Evili
|
|
|
26/11/2009 02:59:35
|
Joseph Zargari
VP Customer Relations
Joined: 26/03/2006
Messages: 515
Offline
|
Evili,
It's great to hear that it is working. Which version of SysAid are you working with? I just want to keep track of which versions this was verified to be working...
Regarding your question about the redirecting from SysAid to CAS and back, I could recommend that you edit the ...\SysAidServer\root\index.html (which is the first page users get to when they approach the SysAid URL) and then configure it to redirect to your CAS link instead of SysAid (replace Home.jsp with the full link to your CAS server that does the authentication).
Would this work for you?
Joseph.
|
|
|
27/11/2009 08:36:09
|
evili
SysAider
Joined: 23/09/2009
Messages: 4
Offline
|
Hi,
We are using 6.0.04 (but planning to upgrade to 6.5).
Your solution does not work (at least as I tried).
I Have modified the index.html file so that wherever it reads "Home.jsp" has became:
http://CAS-Server/cas/login?service=http%3A%2F%2FSysAidServer%2FHome.jsp%3FExternalLogin%3DYES%26accountID%3DSYSAIDACCOUNT
When we access to this index page it shows correcly the CAS authenticacion login. Once authenticated via CAS, SysSaid shows the SysAid Login page.
I think that the problem is that the routing of the HTTP-Request is passed always to the 'Login.jsp', even when it's already autenticated via CAS.
TIA.
Cheers,
Evili
|
|
|
29/11/2009 05:50:27
|
Joseph Zargari
VP Customer Relations
Joined: 26/03/2006
Messages: 515
Offline
|
Evili,
I think it failed to complete the authentication because the link was missing the userName parameter. Now that I think about that, you do need to specify the username in the link. Is there any variable in CAS that would represent the username? If that's possible, you could point to the link with the variable instead of the username so that it would always fit...
Joseph.
|
|
|
16/09/2010 16:12:54
|
Joseph Zargari
VP Customer Relations
Joined: 26/03/2006
Messages: 515
Offline
|
With the help of a customer, we were able to improve the CAS integration. The new integration allows CAS to redirect back to SysAid with nothing but the ticket ID. SysAid will then take the ticket ID and contact CAS back to retrieve the username.
It is verified to work on SysAid 7.0.05
1. Download the cas.jar, cas-client-core-3.1.1.jar and cas.properties files from http://www.ilient.com/down/cas-new.zip
2. Place the *.jar files in ...\SysAidServer\root\WEB-INF\lib
3. Place the cas.properties in ...\SysAidServer\root\WEB-INF\classes (create the folder if it doesn't exists).
4. Edit the cas.properties and set the correct values for CASURL (the URL of the CAS server) and ServerURL (the SysAid server URL).
5. Edit the ...\SysAidServer\root\WEB-INF\conf\serverConf.xml and change the line from <externalLoginClass>none</externalLoginClass> to <externalLoginClass>com.ilient.util.CASLogin</externalLoginClass>
6. Restart the SysAid Server service.
Now your CAS server can produce SSO URL in the following syntax:
http://casurl/login?service=SysAidURL%2FLogin.jsp%3FExternalLogin%3DYES
Make sure to replace CASURL and SysAidURL with the actual links (e.g. http://casserver:8088/cas , http://SysAid:8080/Login.jsp?ExternalLogin=YES)
After the user will follow the URL and login, the CAS server will redirect the user to SysAid. Sysaid will then contact CAS with the ticket ID for validation and will retrieve the username.
Joseph.
This message was edited 2 times. Last update was at 16/07/2012 18:16:10
|
|
|
30/03/2012 17:32:37
|
chewie71
SysAider
Joined: 30/03/2012
Messages: 2
Offline
|
Hi Joseph....or anyone...
We've got LDAP Integration setup so it is importing our users from AD. We've also configured Jasig CAS. We've successfully tested CAS with manually created user accounts, but when we try to use CAS with an account imported from AD/LDAP, it fails and says it can't find the username.
We think the problem is due to the username appearing twice in the End User entry. They look like this....
Username: DOMAIN\username
*Username: username
We think CAS is attempting to match against the username with the DOMAIN\ in it....and that's where it's failing. Any thoughts on how to correct this?
Thanks,
Matt
|
|
|
04/04/2012 16:02:16
|
Joseph Zargari
VP Customer Relations
Joined: 26/03/2006
Messages: 515
Offline
|
Hi chewie71,
SysAid 8.5 is now importing all users with the domain prefix. This is indeed the attribute to which CAS compares the data. I don't think we tested CAS integration on SysAid 8.5 just yet, so I can't tell if there's any proved solution. Please submit a service request with our helpdesk and refer to this topic. We'll schedule a remote control session to look into the configuration to see if there's anyway we could configure it to compare the username with a different attribute (which contains just the user_name).
Thanks,
Joseph.
|
|
|
04/07/2012 19:38:15
|
Joseph Zargari
VP Customer Relations
Joined: 26/03/2006
Messages: 515
Offline
|
There's a fix to the problem with 8.5.08:
1. Download the cas.jar, cas-client-core-3.1.1.jar and cas.properties files attached to this post as a zip file.
2. Place the *.jar files in ...\SysAidServer\root\WEB-INF\lib
3. Place the cas.properties in ...\SysAidServer\root\WEB-INF\classes (create the folder if it doesn't exists).
4. Edit the cas.properties and set the correct values for CASURL (the URL of the CAS server), ServerURL (the SysAid server URL) and DOMAIN (which is the domain name appearing as the prefix for usernames).
5. Edit the ...\SysAidServer\root\WEB-INF\conf\serverConf.xml and change the line from <externalLoginClass>none</externalLoginClass> to <externalLoginClass>com.ilient.util.CASLogin</externalLoginClass>
6. Restart the SysAid Server service.
Now your CAS server can produce SSO URL in the following syntax:
http://casurl/login?service=SysAidURL%2FLogin.jsp%3FExternalLogin%3DYES
Make sure to replace CASURL and SysAidURL with the actual links (e.g. http://casserver:8088/cas , http://SysAid:8080/Login.jsp?ExternalLogin=YES)
After the user will follow the URL and login, the CAS server will redirect the user to SysAid. Sysaid will then contact CAS with the ticket ID for validation and will retrieve the username.
The username it will get will be get the domain (defined in the cas.properties file in step 4) will appear as the prefix for the username.
IMPORTANT FOR 8.5.08: YOU NEED TO REPLACE THE SYSAID.JAR FILE WITH THE ATTACHED FILE (DON'T LEAVE OLD FILE IN PLACE. EITHER DELETE IT OR MOVE IT TO ANOTHER DIRECTORY). If you don't, then the integration won't work. The fix included here will be applied to future releases.
Joseph.
| Filename |
8.5.08-fix-for-CAS.zip |
|
| Description |
|
| Filesize |
11365 Kbytes
|
| Downloaded: |
3 time(s) |
This message was edited 2 times. Last update was at 16/07/2012 18:16:04
|
|
|
05/07/2012 15:19:09
|
chewie71
SysAider
Joined: 30/03/2012
Messages: 2
Offline
|
Your CASURL for cas.properties is incorrect. The CASURL should be set to the root of your CAS system, do not pass it all the extra params.
These are the entries in my cas.properties file...and they work...
If you haven't redirected your SysAid server to port 80....then be sure you add the to your ServerURL entry. (e.g. https://sysaid.domain.com:8080/Login.jsp?ExternalLogin=YES)
This message was edited 2 times. Last update was at 05/07/2012 15:21:39
|
|
|
16/07/2012 18:16:56
|
Joseph Zargari
VP Customer Relations
Joined: 26/03/2006
Messages: 515
Offline
|
chewie71,
Thank you for the correction, you're absolutely right...
I edited all my posts 
Joseph.
|
|
|
![[Up]](/Sysforums/templates/default/images/icon_up.gif){kind=icon}
