Configure Central Authentication Service (CAS)
Many campuses use some kind of single sign on, such as JASIG's Central Authentication Service, or CAS. This guide describes how to integrate Opencast into such a system.
First, you need to edit the file
etc/org.apache.karaf.features.cfg and add the
opencast-security-cas to the
featuresBoot = ..., opencast-security-cas
In a single-tenant deployment, your
security.xml file is under
OPENCAST_HOME/etc/security/mh_default_org.xml. In an
RPM/DEB based installation, it is located in
/etc/opencast/security/mh_default_org.xml. You should make a backup copy
of the file and substitute it by the sample file named
security_sample_cas.xml-example. In other words:
$> cd etc/security $> mv mh_default_org.xml mh_default_org.xml.old $> cp security_sample_cas.xml-example mh_default_org.xml
The sample file should be exactly the same as the default security file, except for the parts only relevant to the CAS. If you have done custom modifications to your security file, make sure to incorporate them to the new file, too.
Add the necessary configuration values to the CAS section of the new security file. The comments should be self-explanatory.
You must modify several settings in the sample to point to your CAS server:
<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> <property name="loginUrl" value="https://auth-test.berkeley.edu/cas/login"/> <property name="serviceProperties" ref="serviceProperties"/> </bean> <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> <property name="userDetailsService" ref="userDetailsService"/> <property name="serviceProperties" ref="serviceProperties" /> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="https://auth-test.berkeley.edu/cas" /> </bean> </property> <property name="key" value="cas"/> </bean>
You will also need to set the public URL for your Opencast server:
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"> <property name="service" value="http://localhost:8080/j_spring_cas_security_check"/> <property name="sendRenew" value="false"/> </bean>
Now the system knows all the information necessary to authenticate users against CAS, but also need some authorization information, to tell which services the user is allowed to use and which resources is allowed to see and/or modify.
You will need to configure a UserProvider to look up users as identified by CAS.