Configuring Central Authentication Service Single Sign-on

NOTE:

This feature is currently available only under Early Access Program and therefore requires special license.

 

This article describes the steps that have to be performed in order to set up the Central Authentication Service (CAS) Single Sign-on (SSO) to YSoft SafeQ 5 web interface. The configuration of SSO requires advanced knowledge of system configuration and working with the configuration files.

 

Article also expects that you are familiar with Central Authentication Service (CAS) and you are able to set it up as its configuration is out of scope of this document.

Configuration

  1. Login to the YSoft SafeQ web interface as administrator user.

  2. Go to System > System settings page and find property ssoAuthenticationType and set it to the Central Authentication Service Single Sign-On (CAS) value. Note that option in the combo box is visible only with EAP license.

  3. Save changes and logout from the web interface.

  4. Stop YSoft SafeQ Web Interface operation system service.

  5. Find SAFEQ_DIRECTORY/tomcat/cmlweb/WEB-INF/web.xml file in the folder where YSoft SafeQ 5 is installed and add lines listed in the block bellow right before last </web-app> tag. All placeholders (CAS_SERVER_IP, CAS_SERVER_PORT, SAFEQ_SERVER_IP, SAFEQ_SERVER_PORT) must be replaced with required value for modified server. It is also possible that the rest of the URL next to the CAS server placeholders must be modified as well in case when CAS server is configured in non-standard way.

  6. Start YSoft SafeQ Web Interface operation system service.

  7. Access URL of YSoft SafeQ web interface. CAS login page should be displayed instead. If user enters the correct authentication credentials and user with the same username is registered in the YSoft SafeQ system (manually created user or replicated from LDAP domain) he should be immediately logged into the system and see his Dashboard page. The same scenario will apply on Mobile Print web if it is licensed and enabled.

  8. Previous steps related to physical server must be performed for all cluster server nodes in case of multi-node cluster system and for all ORS servers (SAFEQ_DIRECTORY/tomcat/orsweb/WEB-INF/web.xml ) in case when CAS authentication should be used also for Mobile Print web authentication.

 

web.xml settings
<context-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://CAS_SERVER_IP:CAS_SERVER_PORT/cas</param-value>
</context-param>
<context-param>
<param-name>serverName</param-name>
<param-value>http://SAFEQ_SERVER_IP:SAFEQ_SERVER_PORT</param-value>
</context-param>
 
<context-param>
<param-name>logoutCallback</param-name>
<param-value>http://CAS_SERVER_IP:CAS_SERVER_PORT/cas/logout</param-value>
</context-param>
<filter>
<filter-name>Exclusion Filter</filter-name>
<filter-class>com.ysoft.safeq.filter.ExclusionFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://CAS_SERVER_IP:CAS_SERVER_PORT/cas/login</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Exclusion Filter</filter-name>
<url-pattern>/img/*</url-pattern>
<url-pattern>/js/*</url-pattern>
<url-pattern>/web/js/*</url-pattern>
<url-pattern>/css/*</url-pattern>
<url-pattern>/web/css/*</url-pattern>
<url-pattern>/failure.jsp</url-pattern>
<url-pattern>/servlet/web.mobile.MobileConfigurationServlet</url-pattern>
<url-pattern>/servlet/web.mobile.MobileLicenseServlet</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

images/download/attachments/42959171/configuration_option.PNG

Troubleshooting

Feature can be debugged by adding (or uncommenting) following lines in SAFEQ_DIRECTORY/tomcat/cmlweb/WEB-INF/classes/log4j.xml.

Debug messages will be logged into the cmlweb.log file.

log4j.xml debug settings
<category name="org.jasig.cas.client" additivity="false">
<level value="debug" />
<appender-ref ref="console_app" />
</category>
 
<category name="com.ysoft.safeq.filter.ExclusionFilter" additivity="false">
<level value="debug" />
<appender-ref ref="console_app" />
</category>

Limitations

  • It is not possible to login into the YSoft SafeQ web interface manually in case when CAS authentication is enabled.

  • User is not redirected to CAS authentication service screen after logging out from Mobile Print web interface. User has to click login button without entering credentials or refresh page to redirect to CAS autentication service.