Cas: Difference between revisions
Line 174: | Line 174: | ||
background-color: #a1b1b9; | background-color: #a1b1b9; | ||
color: #fff;</pre> | color: #fff;</pre> | ||
===Change the "Reset password?" button === | |||
Edit the text message /cas/WEB-INF/classes/messages.properties line 27 and the redirect lint from /cas/WEB-INF/classes/templates/fragments/pmlinks.html line 32. | |||
=Cas 4.x-5.x (old)= | =Cas 4.x-5.x (old)= |
Revision as of 11:44, 17 January 2020
Cas 6.1.x
Install Tomcat 9
apt-get install openjdk-11-jdk apt-get install tomcat9
Copy certificates from proxy with rsync
Add the public key of the user that is going to copy the certificates to the /root directory. More details here http://docswiki.newro.co/index.php/SSHKeyAuth#Install_key_authentication_for_an_account. Create script /opt/bin/letsencrypt_sync:
/usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" <user>@<proxy-ip>:/etc/letsencrypt/ /etc/letsencrypt-proxy/ 2>&1 >> /var/log/letsencrypt_sync.log openssl pkcs12 -export -in /etc/letsencrypt-proxy/live/<domain>/fullchain.pem -inkey /etc/letsencrypt-proxy/live/<domain>/privkey.pem -out /opt/bin/fullchain_and_key.p12 -name tomcat -password pass:<password> systemctl restart tomcat9
Make it executable
chmod +x /opt/bin/letsencrypt_sync
Install rsync if not already
apt-get install rsync
Run the script for initial copy
/opt/bin/letsencrypt_sync
Create a crontab for automatic copy
crontab -u root -e
And add this to the file:
0 0 * * * /opt/bin/letsencrypt_sync
Enable SSL
Edit /etc/tomcat9/server.xml, uncomment and change appropriately the next section(change password with what you used in script above):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/bin/fullchain_and_key.p12" keystoreType="PKCS12" keystorePass="<password>" />
Restart tomcat and you should be able to access it at https://my.domain.com:8443
systemctl restart tomcat9
Add the following argumet to the HTTPS proxy vhost:
SSLProxyEngine On
Install CAS
Download the CAS Overlay Template needed for installation.
mkdir /opt/cas cd /opt/cas wget https://github.com/apereo/cas-overlay-template/archive/6.1.zip unzip 6.1.zip cd cas-overlay-template-6.1
First, you need to open the file build.gradle and add the necessary dependencies. Here are the base dependencies that you'll most probably need:
dependencies { compile "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}" compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}" compile "com.unboundid:unboundid-ldapsdk:4.0.14" compile "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}" }
For more dependencies like SAML, OAuth2, OpenID Connect, 2 Factor Authentication, etc. visit this page: https://apereo.github.io/cas/6.1.x/index.html
By default when building CAS, it doesn't make all the resources available, that you need to configure and customize your CAS instance. So you first need to make those resources available for the war file that you'll build.
./gradlew explodeWar mkdir src/main/resources cp -r build/cas-resources/* src/main/resources/
Now we can build the application war file.
./gradlew clean build
Move the resulted war file into the tomcat folder
cp build/libs/cas.war /var/lib/tomcat9/webapps/
Note: CAS 6.1 requires tomcat 9.0.27 (or newer), so if you have an older version of tomcat 9 it can still work but this will need to be set in /var/lib/tomcat9/webapps/cas/WEB-INF/classes/application.properties
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration
To be able to manage what services/apps are allowed to authenticate through CAS, you need to add this line to the configuration
cas.serviceRegistry.initFromJson=true
Uncomment these 2 lines from the configuration to disable the default account.
#cas.authn.accept.users=casuser::Mellon #cas.authn.accept.name=Static Credentials
To set an LDAP server as the user source use this configuration
cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].ldapUrl=ldaps://ldap.domain.com cas.authn.ldap[0].useSsl=true cas.authn.ldap[0].useStartTls=false cas.authn.ldap[0].connectTimeout=5000 cas.authn.ldap[0].baseDn=cn=Users,dc=<domain>,dc=local cas.authn.ldap[0].searchFilter=sAMAccountName={user} cas.authn.ldap[0].bindDn=cn=<bind-user>,cn=Users,dc=<domain>,dc=local cas.authn.ldap[0].bindCredential=<password> cas.authn.ldap[0].trustCertificates=file:/opt/samba-cert/samba-cert.pem cas.authn.ldap[0].principalAttributeList=mail
Restart tomcat
systemctl restart tomcat9
2 Factor Authentication (2FA)
Note: CAS calls 2 Factor Authentication (2FA) as Multifactor Authentication (MFA). Mainly because it is possible to set multiple 2FA options in a certain order (e.g. user/pass -> 2fa sms -> 2fa email -> successful login)
To be able to use email 2FA you first need to add this to the dependencies before building CAS
compile "org.apereo.cas:cas-server-support-simple-mfa:${project.'cas.version'}"
Next you need to install postfix
apt-get install postfix
Add these lines to the CAS config in /var/lib/tomcat9/webapps/cas/WEB-INF/classes/application.properties
cas.authn.mfa.globalProviderId=mfa-simple cas.authn.mfa.simple.name=Email MFA cas.authn.mfa.simple.order=1 cas.authn.mfa.simple.timeToKillInSeconds=180 cas.authn.mfa.simple.tokenLength=6 cas.authn.mfa.simple.mail.from=no-reply@my.domain.com cas.authn.mfa.simple.mail.text=This is your 2FA code for CAS authentication: %s cas.authn.mfa.simple.mail.subject=CAS 2FA Code cas.authn.mfa.simple.mail.validateAddresses=false cas.authn.mfa.simple.mail.html=false cas.authn.mfa.simple.mail.attributeName=mail spring.mail.host=localhost spring.mail.port=25 spring.mail.testConnection=true spring.mail.properties.mail.smtp.auth=false spring.mail.properties.mail.smtp.starttls.enable=false
SMS (Nexmo)
To be able to use SMS 2FA you first need to add this to the dependencies before building CAS
compile "org.apereo.cas:cas-server-support-simple-mfa:${project.'cas.version'}" compile "org.apereo.cas:cas-server-support-sms-nexmo:${project.'cas.version'}"
Create an account on Nexmo (https://dashboard.nexmo.com/sign-up). After that create a new application, that should give you an api key and a secret.
Add these lines to the CAS config in /var/lib/tomcat9/webapps/cas/WEB-INF/classes/application.properties
cas.authn.ldap[0].principalAttributeList=mail,telephoneNumber #you probably have this already in your config just need to add the phone attribute cas.authn.mfa.globalProviderId=mfa-simple cas.authn.mfa.simple.name=SMS 2FA cas.authn.mfa.simple.order=1 cas.authn.mfa.simple.timeToKillInSeconds=180 cas.authn.mfa.simple.tokenLength=6 cas.authn.mfa.simple.sms.from=CAS cas.authn.mfa.simple.sms.text=This is your CAS 2FA code: %s cas.authn.mfa.simple.sms.attributeName=telephoneNumber cas.smsProvider.nexmo.apiToken=<api-key> cas.smsProvider.nexmo.apiSecret=<api-secret>
Change login page design
Add a new logo
To add logo to the login page first copy the .pmg file /cas/WEB-INF/classes/static directory ang change the file ownership to tomcat user:
sudo chown tomcat:tomcat
Add following file to /cas/WEB-INF/classes/static/templates/fragments/header.html before or after the ".svg" file:
<a href="https://newro.co/"><img src="/cas/newroco_logo.png" style="width: 374px;height: 42px;"/></a>
To remove the drop down menu, remove all the "