How to configure Apache Syncope to log in via SAML 2.0 using Apereo CAS

In this post we are going to see how to perform SAML 2.0 Authentication with Apache Syncope as Service Provider and Apereo CAS as Identity Provider.

Configure Syncope

Let's start by configuring a Syncope embedded instance:

$ mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate \
  -DarchetypeGroupId=org.apache.syncope \
  -DarchetypeArtifactId=syncope-archetype \
  -DarchetypeRepository=https://repository.apache.org/content/repositories/snapshots \
  -DarchetypeVersion=2.1.6-SNAPSHOT

$ mvn -P all clean install
$ cd enduser
$ mvn -P embedded,all

Now that Syncope is running, just for convenience, make sure to have a unique hostname when accessing it from the browser. E.g. for Linux users we can edit our /etc/hosts and add something like the following:

127.0.0.1     syn-saml2.co

this way we'll access the Syncope Admin Console at http://syn-saml2.co:9080/syncope-console.

Configure CAS

Let's do the same process for CAS to have a unique hostname to access it:

127.0.0.1     mycas.com

Building & configuring CAS overlay

Let's download a CAS overlay instance:

$ git clone https://github.com/apereo/cas-overlay-template.git
$ cd cas-overlay-template
        

Now let's set a specific folder for CAS configuration data:

$ sudo mkdir -p /etc/cas/
$ sudo chown -R [USER] /etc/cas/

# The etc directory contains the configuration files
# and directories that need to be copied to /etc/cas/config.
$ ./gradlew copyCasConfiguration

Now we configure CAS for SAML 2.0 and to fetch services from JSON file (we'll need this for later):

dependencies {
    // ...
    implementation "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
    implementation "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
}

and make sure to have the following repository url:

repositories {
    // ...
    maven {
        mavenContent { releasesOnly() }
        url "https://build.shibboleth.net/nexus/content/repositories/releases/"
    }
}

then we edit the local properties file ./etc/cas/config/cas.properties (see CAS Properties), and let's use the following properties:

cas.server.name=https://mycas.com:8443

## SAML2 IdP
cas.authn.samlIdp.entityId=https://mycas.com/idp
cas.authn.samlIdp.metadata.location=file:/etc/cas/saml

## Service Registry
cas.serviceRegistry.json.location=file:/etc/cas/services

now we copy the local configuration to the remote config folder:

$ ./gradlew copyCasConfiguration

Now we add a new CAS service under /etc/cas/services, with file name in the form serviceName + "-" + serviceNumericId + ".json"; let's create /etc/cas/services/SAMLService-10000003.json with the following content:

{
    "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
    "serviceId" : "http://syn-saml2.co:9080/syncope-console/",
    "name" : "SAMLService",
    "id" : 10000003,
    "evaluationOrder" : 1,
    "metadataLocation" : "/etc/cas/saml/idp-syncope-console.xml"
}

See JSON Service Registry for more info about it.

It is time to download the Syncope SP metadata file, so let's acces the Admin Console and go to ExtensionsSAML 2.0 SPService ProviderMetadata. We rename it and put under /etc/cas/saml/:

$ mv ~/Scaricati/Master-SAML-SP-Metadata.xml /etc/cas/saml/idp-syncope-console.xml

Deploy CAS

We need to create a keystore file under `/etc/cas`, but first, we need to change the cn that the keystore will use (to match our) and so it is enough to change it in the gradle task, so that we will still be able to use the CAS task to generate our keystore and won't need any keytool command for the purpose; change the following lines in ./gradle/tasks.gradle:

# ...
def dn = "CN=mycas.com,OU=Com"
# ...
def subjectAltName = "dns:mycas.com,ip:127.0.0.1"

now we can generate the keystore:

$ ./gradlew createKeystore

Ensure the keystore is loaded up with keys and certificates of the server. Then import it in our certs repository, e.g. by running:

$ sudo keytool -import \
  -keystore $JAVA_HOME/lib/security/cacerts \
  -trustcacerts \
  -file /etc/cas/cas.cer \
  -alias CAScert

# default password is: changeit

As final step, build CAS and run the web application as an executable WAR:

$ ./gradlew clean build
$ ./gradlew run

The CAS console will be accessible at https://mycas.com:8443/cas.

Add CAS IdP to Syncope

  • We get the CAS metadata file by accessing https://mycas.com:8443/cas/idp/metadata or directly in /etc/cas/saml/idp-metadata.xml
  • Upload it to Syncope, from Admin Console (ExtensionsSAML 2.0 SPIdentity Providers → click the "+" icon)
  • Logout from Syncope and login by using the SAML provider we just added (use the dropdown in the Syncope Console form)
  • When landing on CAS, we just use the default credentials: casuser / Mellon

For more info take a look at the official CAS blog post CAS - SAML2 Authentication.

You can review a complete example on my Github repo.

3 VOTIYes, Excellent!Yes, Excellent!
Ti è stato utile questo articolo?
From Tirasa's Blog
The place where we share what we do, learn and discover day by day.
Go to blog >