Apache Syncope:log in via SAML 2.0 using Apereo CAS

Chi siamo Chi siamo
Soluzioni Soluzioni
- Istruzione
  Una soluzione completa e collaudata per il mondo dell'Istruzione
- Sanità
  Una soluzione completa e collaudata per il mondo della Sanità
- PA
  Una soluzione completa e collaudata per il mondo della PA
- Finanza
  Una soluzione completa e collaudata per il mondo Finanza
- Su misura
  Una soluzione personalizzata sulle tue esigenze
Sviluppo Sviluppo
Blog
Supporto
Contatti Contatti

Scritto da

How to configure Apache Syncope to log in via SAML 2.0 using Apereo CAS

In this post we are going to see how to perform SAML 2.0 Authentication with Apache Syncope as Service Provider and Apereo CAS as Identity Provider.

Configure Syncope

Let's start by configuring a Syncope embedded instance:

$ mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate \
  -DarchetypeGroupId=org.apache.syncope \
  -DarchetypeArtifactId=syncope-archetype \
  -DarchetypeRepository=https://repository.apache.org/content/repositories/snapshots \
  -DarchetypeVersion=2.1.6-SNAPSHOT

$ mvn -P all clean install
$ cd enduser
$ mvn -P embedded,all

Now that Syncope is running, just for convenience, make sure to have a unique hostname when accessing it from the browser. E.g. for Linux users we can edit our /etc/hosts and add something like the following:

127.0.0.1     syn-saml2.co

this way we'll access the Syncope Admin Console at http://syn-saml2.co:9080/syncope-console.

Configure CAS

Let's do the same process for CAS to have a unique hostname to access it:

127.0.0.1     mycas.com

Building & configuring CAS overlay

Let's download a CAS overlay instance:

$ git clone https://github.com/apereo/cas-overlay-template.git
$ cd cas-overlay-template

Now let's set a specific folder for CAS configuration data:

$ sudo mkdir -p /etc/cas/
$ sudo chown -R [USER] /etc/cas/

# The etc directory contains the configuration files
# and directories that need to be copied to /etc/cas/config.
$ ./gradlew copyCasConfiguration

Now we configure CAS for SAML 2.0 and to fetch services from JSON file (we'll need this for later):

dependencies {
    // ...
    implementation "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
    implementation "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
}

and make sure to have the following repository url:

repositories {
    // ...
    maven {
        mavenContent { releasesOnly() }
        url "https://build.shibboleth.net/nexus/content/repositories/releases/"
    }
}

then we edit the local properties file ./etc/cas/config/cas.properties (see CAS Properties), and let's use the following properties:

cas.server.name=https://mycas.com:8443

## SAML2 IdP
cas.authn.samlIdp.entityId=https://mycas.com/idp
cas.authn.samlIdp.metadata.location=file:/etc/cas/saml

## Service Registry
cas.serviceRegistry.json.location=file:/etc/cas/services

now we copy the local configuration to the remote config folder:

$ ./gradlew copyCasConfiguration

Now we add a new CAS service under /etc/cas/services, with file name in the form serviceName + "-" + serviceNumericId + ".json"; let's create /etc/cas/services/SAMLService-10000003.json with the following content:

{
    "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
    "serviceId" : "http://syn-saml2.co:9080/syncope-console/",
    "name" : "SAMLService",
    "id" : 10000003,
    "evaluationOrder" : 1,
    "metadataLocation" : "/etc/cas/saml/idp-syncope-console.xml"
}

See JSON Service Registry for more info about it.

It is time to download the Syncope SP metadata file, so let's acces the Admin Console and go to Extensions → SAML 2.0 SP → Service Provider → Metadata. We rename it and put under /etc/cas/saml/:

$ mv ~/Scaricati/Master-SAML-SP-Metadata.xml /etc/cas/saml/idp-syncope-console.xml

Deploy CAS

We need to create a keystore file under `/etc/cas`, but first, we need to change the cn that the keystore will use (to match our) and so it is enough to change it in the gradle task, so that we will still be able to use the CAS task to generate our keystore and won't need any keytool command for the purpose; change the following lines in ./gradle/tasks.gradle:

# ...
def dn = "CN=mycas.com,OU=Com"
# ...
def subjectAltName = "dns:mycas.com,ip:127.0.0.1"

now we can generate the keystore:

$ ./gradlew createKeystore

Ensure the keystore is loaded up with keys and certificates of the server. Then import it in our certs repository, e.g. by running:

$ sudo keytool -import \
  -keystore $JAVA_HOME/lib/security/cacerts \
  -trustcacerts \
  -file /etc/cas/cas.cer \
  -alias CAScert

# default password is: changeit

As final step, build CAS and run the web application as an executable WAR:

$ ./gradlew clean build
$ ./gradlew run

The CAS console will be accessible at https://mycas.com:8443/cas.

Add CAS IdP to Syncope

We get the CAS metadata file by accessing https://mycas.com:8443/cas/idp/metadata or directly in /etc/cas/saml/idp-metadata.xml
Upload it to Syncope, from Admin Console (Extensions → SAML 2.0 SP → Identity Providers → click the "+" icon)
Logout from Syncope and login by using the SAML provider we just added (use the dropdown in the Syncope Console form)
When landing on CAS, we just use the default credentials: casuser / Mellon

For more info take a look at the official CAS blog post CAS - SAML2 Authentication.

You can review a complete example on my Github repo.

3 VOTI

Yes, Excellent!

Ti è stato utile questo articolo?

Dal Blog di Tirasa

Quello che facciamo, studiamo e pensiamo tutti i giorni lo condividiamo qui.

06/09/2024

Tirasa

L'Agenzia per l'Italia Digitale e la Strategia di Digital...