Configuring CAS Inbound Authenticator

This topic provides instructions on how to configure the CAS inbound authenticator and the WSO2 Identity Server and demonstrates this integration using a sample app (cas-client-webapp).

This procedure was tested using Java 8. The current version of the CAS Inbound authenticator is not supported with a tenant user.

The CAS Inbound Authenticator version 1.0.2 is supported by WSO2 Identity Server version 5.2.0.
The CAS Inbound Authenticator version 2.0.1 is supported by WSO2 Identity Server version 5.3.0.
The CAS Inbound Authenticator version 2.0.2 is supported by WSO2 Identity Server versions 5.3.0 to 5.8.0 (latest WUM), and 5.9.0 to 5.10.0.

To view documentation for the CAS authenticator version 2.0.2, go to the v2.0.2 tag of the identity-outbound-auth-cas GitHub repository.

See the following sections for more information on configuring this integration.

Prerequisites

Download WSO2 Identity Server from the WSO2 Identity Server product page and install it by following the instructions in the Installing the Product topic.
Download the sample CAS client webapp (cas-client-webapp.war) from https://github.com/wso2-docs/IS/tree/master/IS-Connector-Artifacts/CAS
Download the CAS Version 1.0.2 Inbound Authenticator JAR from the store for this authenticator and CAS Version 2.0.1 Inbound Authenticator JAR from the store for this authenticator.

If you want to upgrade the CAS Inbound Authenticator (.jar) in your existing IS pack, please refer upgrade instructions.
The CAS login URL is required if you want to use it in your own app. It must be: https://<IS_IP>:9443/ identity/cas/login

Configuring cas-client-webapp

Generate Keystore to enable 'https' request in your web container (e.g., Tomcat).
1. Use the following "keytool" command inside the "web-container/bin" (e.g., <TOMCAT_HOME/bin>) directory to create a keystore with the self-signed certificate. During the keystore creation process, you need to assign a password and fill in the certificate’s details.
  keytool -genkey -alias localhost -keyalg RSA -keystore "PATH_TO_CREATE_KEYSTORE/KEYSTORE_NAME".
  
  Tip: Here localhost is the same name as the machine's hostname.
2. Add the following connector in the server.xml file in your web-container (e.g., <TOMCAT_HOME>/conf/server.xml)
```
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS"
        keystoreFile="PATH_TO_CREATED_KEYSTORE/KEYSTORE_NAME"
        keystorePass="KEYSTORE_PASSWORD" />
```
  Tip: KEYSTORE_PASSWORD is the password you assigned to your keystore via the "keytool" command.
To establish the trust between cas-client-webapp and CAS-Server (WSO2 IS), take the following steps:
1. Go to the <IS_HOME>/repository/resources/security/ directory and execute the following command to create a certificate file for the wso2carbon JKS.
  keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks -storepass wso2carbon
2. Inside the above directory use the following command to import the CAS server certificate (wso2.crt) into the system truststore of the CAS client. You will be prompted for the keystore password, which is by default changeit.
  keytool -import -alias wso2carbon -file wso2.crt -keystore PATH-TO-jre/lib/security/cacerts

Deploying CAS artifacts

Place the cas-client-webapp.war file into the webapps directory of the web-container (e.g., <TOMCAT_HOME>/webapps).
Place the org.wso2.carbon.identity.sso.cas-1.0.2.jar file (for Identity Server 5.3.0, use the cas-2.0.1.jar file instead as described in the note below) into the <IS_HOME>/repository/components/dropins directory and restart the Identity Server.

If you are using WSO2 Identity Server 5.3.0, make sure to take the WUM updated product since this feature needs some core fixes done to the product.

Configuring the service provider

Now, you are ready to configure WSO2 Identity Server by adding a new service provider .

Run WSO2 Identity Server.
Log in to the management console as an administrator.
In the Identity section under the Main tab, click Add under Service Providers.
Enter cas-client-webapp in the Service Provider Name text box and click Register.
In the Inbound Authentication Configuration section, click CAS Configuration .
Configure the Service Url: https://localhost:8443/cas-client-webapp/

Service URL refers to the URL of the application that the client is trying to access.
Go to Claim Configuration and click Define Custom Claim Dialect to add the requested claims. (This is required to show requested claims as user attributes in the cas-client-webapp; otherwise, no attributes will be shown.) Add the Service Provider Claim name that corresponds to the Local Claim URI and mark it as Requested Claim.
Click Update to save the changes. Now you have configured the service provider.

Testing the sample

To test the sample, navigate to https://[server-address]/cas-client-webapp/ in your browser (i.e., go to the following URL: https://localhost:8443/cas-client-webapp/).
The basic authentication page appears. Use your IS username and password.
If you have successfully logged in, you will see the following CAS Home page of cas-client-webapp with the authenticated user and user attributes.