Setting up SSO CAS

This document describes how BlueMind recognizes CAS (Central Authentication Service) authentication.

How CAS authentication works

For initial authentication :

1. The user tries to connect to BlueMind, which he opens in his browser.
2. As it has not yet been authenticated, the BlueMind server redirects it to the CAS server for authentication.
3. Once authenticated, a CAS cookie is placed in the user's browser, and the user is redirected to BlueMind with a ticket to validate.
4. The BlueMind server :
   1. sees this ticket,
   2. asks the CAS server if it is valid,
   3. if this is the case, authorizes the connection and sets a cookie BlueMind in the browser.

On next authentication:

1. The customer requests access to the BlueMind server again.
2. As it has the BlueMind cookie, it is automatically authenticated as long as this cookie is valid.

For more information

• http://aldian.developpez.com/tutoriels/javaee/authentification-centralisee-sso-cas/images/09_diagramme_full.png
• http://www.jasig.org/cas/protocol

Installation

Install the needed package :

Debian/Ubuntu

aptitude install bm-plugin-hps-cas

Redhat/CentOS

yum install bm-plugin-hps-cas

Then restart BlueMind :

bmctl restart

Configuration

1. Logged in as admin0, go to System management > System configuration > Authentication tab.
2. Select the CAS authentication mode from the drop-down menu and fill in the associated fields:
   
   • CAS server URL
   • Default BlueMind domain
3. Click on "Save" to save your changes.
4. Restart the bm-webserver service.

Users will then be automatically redirected to the CAS server when accessing the authentication page.

Known errors

Error 403: Your user account does not exist in this BlueMind.

Cause: This error message means that the login with which the user has authenticated to CAS does not exist for this domain. This can happen when the user has not yet been created in BlueMind, or voluntarily because you don't want the user to have access.

Solutions: Two solutions are possible:

1. Create in BlueMind, in the right domain, the user associated with the CAS login.
2. Ignore the error if access was refused voluntarily.

Error 500: Internal Server Error

There may be several reasons for this error message. To investigate and resolve the cause, consult the webserver logs.

Using a self-signed certificate or an unknown certification authority

Symptoms: If a self-signed certificate is used for the CAS server, or the CAS server's certification authority is not listed, a security error occurs when establishing the https connection to the CAS server.

Solution: To resolve this error, import the self-signed certificate or root CA into the jvm keystore used by BlueMind.

keytool -import -trustcacerts -alias cas -file cert_racine.crt -keystore /usr/lib/jvm/bm-jdk/lib/security/cacerts
Enter keystore password: changeit

For more information, see http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html