Geoff McGregor, Indiana University Integra(ng KC with CAS and LDAP 4/25/2012

Transcription

1 2012 User Conference April 22-24, 2012 Atlanta, Georgia Together Toward Tomorrow Geoff McGregor, Indiana University Integra(ng KC with CAS and LDAP 4/25/2012 open source administration software for education!

2 Key Concepts Authen;ca;on Prove you are who you say you are Example: enter a username + password In Kuali, a username is also known as a principal Authoriza;on Do you have the right to do what you re trying to do? System uses the authen;cated principal to decide

3 Key Concepts Kuali Iden;ty Management (KIM) Rice module charged with managing en;ty data, authen;ca;on, and authoriza;on for all Rice client applica;ons Can also be bundled within KC and used only by KC Provides a service API and a database- backed reference implementa;on

4 Key Concepts Authen;ca;on Filter Used by Java web applica;ons to intercept incoming requests and check creden;als Rice ships with a simple dummy login filter user must enter a username Recommended for demo instances only not produc;on! You can write your filter to work with any authn provider you choose database, LDAP, X509 cer;ficates, etc.

5 Servlet Filters

6 Adding a new Authen;ca;on Filter You will need to provide a filter to implement your authn mechanism of choice and pass the authen;cated principal to KC We ll implement a CAS filter to look at the KIM principal tables, and also look at how to configure it to query LDAP CAS exercise is an example not your only op;on!

7 Adding a new Authen;ca;on Filter KC project will work with Coeus schools to provide appropriate implementa;ons for func;onal equivalence There s an excellent chance your ins;tu;on already provides a central web authen;ca;on service you just have to hook into it!

8 CAS Authen;ca;on Central Authen;ca;on Service (CAS) A robust single sign- on service that s a really good choice for authen;ca;on hhp://

9 CAS Authen;ca;on source:

10 Registering the filter Must be registered in web.xml You can add addi;onal filters to kc- config.xml and they will be picked up on startup BootstrapFilter.java The appended numerical.x will determine the order in which they are hit

11 Registering the filter For CAS, we will actually register three filters: HIpServletRequestWrapperFilter You can implement single sign- on/sign- out to log in/out of mul;ple webapps connected to the same CAS server Useful if you are running Rice standalone More info: hhps://wiki.kuali.org/x/yrs1eg

12 Kuali- CAS Kuali- CAS is a kuali- fied version of CAS By default, it queries the KIM Principal table org.jasig.cas.client.authen@ca@on.authen@ca@onfilter An LDAP implementa;on is also available on github hhps://github.com/r351574nc3/kuali- cas Wrihen by Leo Przybylski (rsmart) Leo s blog entry: hhp://kualigan.blogspot.com/ 2012/04/ldap- cas- implementa;on.html

13 Kuali- CAS LDAP Integra;on Modify custom.proper;es: ldap.server.url=ldap://localhost:10389 ldap.server.bind.username=uid=admin,ou=system ldap.server.bind.password=secret ldap.authentication.filter=uid=%u,ou=system ldap.searchbase=o=whoniverse Or, use as a reference for your own implementa;on

14 Authen;ca;onService KIM Service for extrac;ng authen;cated principal from incoming request Default is simply request.getremoteuser() If your filter puts the authen;cated principal somewhere else, you ll need to provide an alternate implementa;on of Authen;ca;onService

15 LDAP Integra;on You can also override the KIM services to query LDAP for En;ty informa;on beyond authen;ca;on. Beyond the scope of this exercise, but if you re interested: hhps://wiki.kuali.org/x/fsyreg

16 Mul;campus KC supports mul;campus authen;ca;on Shared usernames across campuses Filtering on campus- specific data KC ships with a dummy mul;campus authen;ca;on filter and authen;ca;on service org.kuali.kra.web.filter.mul;campusdummyl oginfilter

17 Exercise