Liferay intregation with CAS and LDAP

Steps of Configure LDAP Server

www.liferay.com/web/nidhi.singh/blog/-/blogs/liferay-integration-with-ldap

Steps for SSL Certificate

Open Command Prompt and type given below command

keytool -genkey -alias tomcat -keypass changeit -keyalg RSA

Enter keystore password: changeit

What is your first and last name?

[Unknown]: localhost

What is the name of your organizational unit?

[Unknown]: Information Systems

What is the name of your organization?

[Unknown]: Life

What is the name of your City or Locality?

[Unknown]: Bangalore

What is the name of your State or Province?

[Unknown]: KA

What is the two-letter country code for this unit?

[Unknown]: IN

Is CN=localhost, OU=Information Systems, O=Life, L=Bangalore, ST=KA, C=IN correct?

[no]: yes

keytool -export -alias tomcat -keypass changeit -file E:\server.crt

Enter keystore password: changeit

Certificate stored in file E:\<server.crt>

keytool -import -file E:\server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts

Enter keystore password: changeit

Owner: CN=localhost, OU=Information Systems, O=Life, L=Bangalore, ST=KA, C=IN

Issuer: CN=localhost, OU=Information Systems, O=Life, L=Bangalore, ST=KA, C=IN

Serial number: 462030d8

Valid from: Fri Apr 13 15:39:36 HST 2010 until: Thu Jul 12 15:39:36 HST 2010

Certificate fingerprints:

MD5: CC:3B:FB:FB:AE:12:AD:FB:3E:D 5:98:CB:2E:3B:0A:AD

SHA1: A1:16:80:68:39:C7:58:EA:2F:48:59:AA:1D:73:5F:56:78:CE:A4:CE

Trust this certificate? [no]: yes

Certificate was added to keystore

Steps for ApacheTomcat Server

Remove comments from server.xml file for HTTPS request which runs on port no 8443.

Setting up CAS server

1. Download the CAS Server and find the war file e.g. \cas-server-3.2.1\modules\cas-server-webapp-3.2.1.war

2. Start the Apache Tomcat server. Deploy the war file (cas-server-webapp-3.2.1.war) to the Tomcat’s webapps folder and rename it. e.g. C:\apache-tomcat-6.0.14\webapps\cas-web

3. Now that CAS is deployed you should have an unpacked directory in your webapps folder e.g. C:\apache-tomcat-6.0.14\webapps\cas-web

4. Stop the tomcat server

5. Add the below lines to the pom.xml file in the META-INF folder (e.g. C:\apache-tomcat-6.0.14\webapps\cas-web\META-INF\maven\org.jasig.cas\cas-server-webapp)

<groupId>${project.groupId}</groupId>

<artifactId>cas-server-support-ldap</artifactId>

<version>${project.version}</version>

</dependency>

6. Add the following to the deployerConfigContext.xml file in the WEB-INF directory e.g. C:\apache-tomcat-6.0.14\webapps\cas-web\WEB-INF (Connects to the default Apache Directory Server configuration)

<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
              <property name="pooled" value="true"/>
              <property name="urls">
                  <list>
                      <value>ldap://localhost:10389</value>
                  </list>
              </property>
              <property name="userName" value="uid=admin,ou=system"/>
              <property name="password" value="secret"/>
              <property name="baseEnvironmentProperties">
                  <map>
                      <entry>
                          <key>
                              <value>java.naming.security.authentication</value>
                          </key>
                          <value>simple</value>
                      </entry>
                  </map>
              </property>
        </bean>

7. Add the corresponding AuthenticationHandler to the deployerConfigContext.xml file (Remove the SimpleAuthenticationHandler) and Add the following in it's place.

8. Add the cas-server-support-ldap-3.2.1.jar from the CAS installation \cas-server-3.2.1\modules to the web application library e.g( C:\apache-tomcat-6.0.14\webapps\cas-web\WEB-INF\lib)

9. Start tomcat and log in with the username and password at the url https://localhost:8443/cas-web/login

Setting up Liferay

1. Create system-ext.properties (webapps\ROOT\WEB_INF\classes)

2. Open system-ext.properties and enter and Save it.

com.liferay.filters.sso.cas.CASFilter=true

3. Open portal-ext.properties and enter and Save it.

auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin

auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin,com.liferay.portal.security.auth.CASAutoLogin

4. Login as administrator and go to control panel->settings->Authentication->CAS

5. Check Enable checkbox and Import from LDAP.

6. Give Login URL: https://localhost:8443/cas-web/login

7. Give Logout URL: https://localhost:8443/cas-web/logout

8. Give Server Name: localhost:8080

9. Give Service URL: http://localhost:8080/c/portal/login

10. Give Validate URL: https://localhost:8443/cas-web/proxyValidate

11. Save it

46 Comments

Please sign in to comment.

Very nice!

Please sign in to reply.

Thanks Nidhi for sharing This Information with us

Please sign in to reply.

Nice post! Thanks a lot emoticon

Please sign in to reply.

Very Nice! Thanks for sharing emoticon

Please sign in to reply.

very well explained, Thanks.

Please sign in to reply.

Really gud blog. thQ... emoticon

Please sign in to reply.

nice explanation with proper guided urls.... thanks for such nice piece of information

Please sign in to reply.

a little hint for those how want to run LR under a other domain like "dev" or sth.:
make sure your cert is created for this host and the cert is imported to the correct cert store at %JAVA_HOME% and/or the LR JRE store.

Please sign in to reply.

Yes correct, you have to make sure that cert is created inside %JAVA_HOME% which is used by LR.

Please sign in to reply.

Hi,

Thanks for your blog,
In portal.properties for CAS, below comment is provided,

#
# Set the default values for the required CAS URLs. Set either
# "cas.server.name" or "cas.service.url". Setting "cas.server.name" allows
# deep linking. See LEP-4423.
#

please let me know do we need to specify cas.server.name and cas.servive.url or any one as commented in the property file,

in my case if i provide both the values it didnt work, after CAS authentication page was blank,
if i enter only ther cas.service.url and not cas.server.name in this case Authentication works fine and i am getting the page but here also redirect didnt work.

Please sign in to reply.

thanks for the tutorial, but actually it didn' solve my problem in "single sign out".
I've implemented this single sign on, and it works, but when I sign out from other application which is connected to CAS, the session in liferay didn't invalidate this session_ID, so what's shoul I do.

thanks & regards

Please sign in to reply.

I need urgent help on CAS+Liferay on Linux Centos.

Please help.

Please sign in to reply.

Please write your problem so that i can solve

Please sign in to reply.

Hi Nidhi
i am trying to integrate CAS+liferay on centOS, i have created signature certificate but the problem is that i am unable to locate jre/lib/security on centOS as it uses OpenJDK.

I tried to integrate CAS+Liferay without doing the above step but it didnot work. Please help!
Thanks for your early response.

Please sign in to reply.

Hi
I have located jre. Would contact for further help

Thanks

Please sign in to reply.

Hi,

i am trying to integrate Liferay+CAS. When i click on signin on Liferay portal it opens the Liferay Portal again instead of CAS Login page.

Can anyone please help in solving this issue.

Thanks in advance
Daljeet

Please sign in to reply.

Hi,

you did CAS setting in liferay, system-ext.properties file and portal-ext.properties file.

Nidhi

Please sign in to reply.

Hi

I am having problem in adding authentication handler in the file deployerConfigContext.xml

When i add the code by replacing simple authentication it gives exception of class not found for FastBindLdapAuthenticationHandler.

Please help out.

Thanks

Please sign in to reply.

Hi,

you have added this cas-server-support-ldap-3.2.1.jar

Nidhi

Please sign in to reply.

Hi,
yes i have added cas-server-support-ldap-3.2.1.jar

It is giving the following exception

Line 124 in XML document from ServletContext resource [/WEB-INF/deployerConfigContext.xml] is invalid; nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.3: Element 'list' cannot have character [children], because the type's content type is element-only.

Daljeet

Please sign in to reply.

I have also added system-ext.properties file and portal-ext.properties file.

As I am working on Linux please tell how to do settings that you mentioned by visiting control panel.

Thanks

Please sign in to reply.

Hi Nidhi,

When i click on signin on Liferay Portal home page it takes me to url : https://server:8443/c/portal/login?p_l_id=10298

But Internet explorer cannot display page.

Kindly help for the needful

Thanks
DJ

Please sign in to reply.

Hi nidhi,
We have some PHP-Mysql based applications running on a different server. I want to sign into liferay and get access to those applications using single sign on. Is it possible?. I have added those URLs as embedded pages into liferay.

Please sign in to reply.

Ananda,
I am sort of new at this, but I believe that if you have CAS-enabled the PHP-Mysql applications so that you can login to them through CAS (without any Liferay involvement) then yes, you should be able to set up an SSO situation between Liferay and your applications. The key point is that _all_ of them must use CAS for login before SSO will work.

Ed

Please sign in to reply.

Hi, Iam not able to get how installing CAS would enable single sign on for an external application. How CAS will talk to my external application? Should i install CAS in my external aplication as well???

Please sign in to reply.

Yes, you would have to integrate CAS into your other applications so that they could all have the same trust relationship with the CAS validation ticket. If you were to use SiteMinder instead of CAS, you would have the same situation where all of the apps would have to be protected by SiteMinder. The other option is to not use SSO at all and use some sort of uid/password storage mechanism in custom portlets that would send the credentials to the external system, but that isn't as flexible.

Please sign in to reply.

Is it possible to setup Liferay to use CAS without an LDAP server and without creating an autologin hook?

That is, once the user is authenticated, can liferay be configured to complete the user creation by asking the user for the missing profile information?

Please sign in to reply.

I have seen information about configuring CAS to use the Liferay database via JDBC instead of the LDAP for a user store so that would solve your first problem: https://wiki.jasig.org/display/CASUM/JDBC. You can extend the functionality of the CAS post-login process to ask the user for the information and store it in the portal DB before sending them back to Liferay (something like this: https://wiki.jasig.org/display/CASUM/Acceptable+Use+interface+for+Login+Webflow). You can also modify Liferay to extend the functionality of it's post-login process: http://www.liferay.com/web/guest/community/wiki/-/wiki/Main/Customizing+the+default+page+after+login
I've only read about any of these and they all seem fairly involved. -Ed

Please sign in to reply.

That's a very nice post.

Can you let me know is there any way by configuration/any simple means doing following scenario

We have a CAS + Liferay integrated environment, but it looks like that the “concurrent login prevention” does not work in some occasions for Liferay. For example, we have an iframe enclosing the portal menu bar and the page content. User logs in on Browser 1 and the same User logs in on Browser 2. User then navigates on Browser 1 by clicking on the menu bar (some private pages), but he did not get logged out.

Practically i think user's old token should be invalid.

Can you give me suggestion regarding the same

Please sign in to reply.

Can u please help me configuring Liferay 6.0.5 with CAS 3.0.7? CAS is working fine with validating user credentials properly with OpenLDAP. But I am confused with the three entries i.e. Server Name, Server URL, and Service URL on the CAS configuraton screen on liferay and not sure what to provide where. I tried with many combimantions but of no use.

Please guide me!

Thanks!
Kiru

Please sign in to reply.

Hi Nidhi,
Nice artice... very informative...

Please sign in to reply.

Hello,
I am working on a web-application, in which I am using Liferay and Pentaho. I wish to use CAS for aunthenticating users. I followed all the steps, and CAS is working fine.
When I am logging in CAS, and then opening the Pentaho portion, i get it signed in, as CAS is login, and when I am logging out from CAS, it as also reflecting in Pentaho, (and vice-versa too). It depicts that Pentaho is sharing the login ticket. But when I am using it with Liferay, it is giving the following problem-
when I am logging in through Liferay Sigh In button, then its opening the CAS page and logs in properly, but when I am logging in CAS first, and then open Liferay, then it is not getting that login ticket. () The same problem is persisting at the time of log out also.

Please give solution...
Thanks in advance !!!

Please sign in to reply.

hi,

when i am logging in through Liferay Sign In button (dock), then its opening the CAS page and logs in properly, but when I am logging in CAS first, and then open Liferay, then it is not getting that login ticket. but if i click in 'sign in' link, liferay acquire the ticket.

how i use autologin, logging in cas first ?

Please sign in to reply.

Diego,
I think if you are just going to the public home page, there is no need for Liferay to authenticate so it doesn't check the ticket or try to do autologin. Try this: create a private page and make note of the friendly URL. Log out of everything and close browsers, in a new browser log in to CAS, then use your friendly private page URL. You should go through the autologin. - Ed

Please sign in to reply.

Kiru,
The best documentation on the use of these settings is in portal-ext.properties and the portal admin guide. If you want people to be able to email or bookmark friendly URLs to pages other than the home page, then you should use combination of server name and server url while leaving the service url blank. This will allow the portal to generate a dynamic service url based on the one the user is trying to access. Here is a summary of portal 5.2.3 settings:
- cas.server.name: This is the server name of the portal that CAS should use when calling back to the CAS client. Set either "cas.server.name" or "cas.service.url". Setting "cas.server.name" allows deep linking. See LEP-4423. ex: portal.acme.com
- cas.server.url: URL address of the CAS server. ex: https://cas.acme.com:8443/cas
- cas.service.url: This parameter replaces the serverName parameter above. It becomes the URL that CAS redirects to after login. If you have one specific point of entry to your web application and you want all logins to proceed through that page, you would specify the full URL of that page here. Either this parameter or the serverName parameter must be set. ex: (don't have example since we don't use this setting)
- cas.validate.url: The URL whereat CAS offers its service ticket or proxy ticket validation service. ex: https://cas.acme.com:8443/cas/proxyValidate
- cas.login.url: The URL whereat CAS offers its Login page. ex: https://cas.acme.com:8443/cas/login
- cas.logout.url: The CAS URL that triggers session invalidation logic. This depends on CAS functionality to redirect the user back to the portal. ex (you may have to alter this depending on your logged out page strategy): https://cas.acme.com:8443/cas/logout?service=http://portal.acme.com/c

Please sign in to reply.

Simple and straight forward explanation to setting up CAS with Liferay and LDAP.

However, I've tried but I didn't manage to get it working.
I'm stuck on a ClassNotFoundException. The authentication handler is not loaded because the "org/springframework/ldap/NamingException" class is not found.
I've tried both the CAS Server 3.2.1.1 and the CAS 3.4.3.1 with identical results. The spring-ldap-*.jar are in the WEB-INF/lib but for some reason, the Tomcat does not load those jars.

Anyone with the same issue? Thanks in advance for any advice on this.

Jordi

Please sign in to reply.

Jordi,
Are you getting the exception from Liferay/CAS Client or the CAS Server? Liferay needs to have a cas-client-core.jar installed in ROOT\WEB-INF\lib with a version that supports the CAS server version since they will be talking to each other. On the CAS server side, I'm building using the maven overlay method detailed in CAS and my pom.xml has an LDAP reference which probably brings in everything needed for the war:
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>

Please sign in to reply.

Hi Ed,

I finally solved the issue by reinstalling everything from scratch (Liferay, tomcat and CAS from sources). No idea what was the problem. I have another weird issue now ("CAS is Unavailable" with no single line of error on the logs after submitting user/password) but I'm still working on it.

The problem was on the server (at tomcat startup). I haven't reached the point of talking to Liferay yet.

Thanks

Please sign in to reply.

Hi All,
The BasicAutoLogin clss is renamed to RememberMeAutoLogin, I hope the following will help you in case you encounter 'java.lang.ClassNotFoundException: com.liferay.portal.security.auth.BasicAutoLogin' exception...
auto.login.hooks=com.liferay.portal.security.auth.RememberMeAutoLogin
auto.login.hooks=com.liferay.portal.security.auth.BRememberMeAutoLogin,com.liferay.portal.security.auth.CASAutoLogin

Thanks and Regards...

Please sign in to reply.

As of CAS 3.3.2, you MUST use Spring LDAP's LdapContextSource (org.springframework.ldap.core.support.LdapContextSource) instead of the AuthenticatedLdapContextSource)

https://wiki.jasig.org/display/CASUM/LDAP

Please sign in to reply.

If you authenticate based on email address instead of screenname you cannot use the FastBindLdapAuthenticationHandler instead you can use this

<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="mail=%u" />
<property name="searchBase" value="dc=example,dc=com" />
<property name="contextSource" ref="contextSource" />
</bean>

Please sign in to reply.

Hi Nidhi,

Thanks for a nice explanation on how to integrate.
I have a little different requirement like integrating liferay 6 with CAS(already available in a web application) without any LDAP.

Since the CAS set up is already available what are the steps I need to take? As of now I am trying out the below things without any result.

1) Added casclient.jar into ROOT\WEB-INF\lib
2) Added auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin,com.liferay.portal.security.auth.CASAutoLogin
to portal-ext.properties.
3) Enabled the CAS from Administrative's control panel with values as:
(i)Enabled - Check box enabled by default.
(ii)Import from LDAP - Didn't check the check box since no LDAP in my case.
(iii) Login URL - http://(MACHINE NAME WHERE CAS IS INSTALLED):9080/cas-web/login
(iv) Logout URL - http://(MACHINE NAME WHERE CAS IS INSTALLED):9080/cas-web/logout
(v) Server Name - (MACHINE NAME WHERE CAS IS INSTALLED):9080
(vi) Server URL - http://(MACHINE NAME WHERE CAS IS INSTALLED):9080/cas-web
(vii) Service URL - http://localhost:8080/web/guest/reference

I am able to login into the portal page instead of me getting redirected to cas-web page.
Need help on anything I am missing out.

Please sign in to reply.

I do step by step but when start Tomcat http://localhost:8443/cas-web/login error. Can you help me ? i want to SSO liferay and Sakai by CAS

Please sign in to reply.

hello.. i need help. the quest is, if ive allready installed CAS in liferay, used the free one, do i need follow the configuration above?

regards,
iefa

Please sign in to reply.

additional quest, how i can used the service that i already installed in liferay. for example CAS,?

Please sign in to reply.

Menu Display

Blogs

Category Filter

More Blog Entries

Import and export Knowledge based articles

Sample Expando Hook