Can one Jasig CAS server be config with two LDAP

Question

We need to set up a CAS server to do SSO with our applications(all in JAVA). Here is my situation:

1. CAS1: Existing CAS server, based on ORACLE LDAP(we have no control of the CAS1 and the LDAP). We plan to ignore this one. Several applications integrated with this CAS.

2. CAS2: We plan to setup a new CAS server based on MS Active Directory, because we have a lot of new users. We plan to maintain them in AD. Still the same applications we plan to setup SSO too with our CAS2.

What we need is that both users from existing LDAP and our new AD can log into the applications by SSO.

1. Is there a simple way, like setup my new CAS to use both LDAP and AD. So user from both sides can login our applications. This is a better way I think if possible. Is there an example in detail?

2. Can I setup federation between the two CAS? Is it possible for Jasig CAS?

Please help! Thanks a lot!

Answer 1

Yes, it's possible for CAS to authenticate against multiple sources. In your authenticationManager bean, you should have a property named authenticationHandlers; in there, define multiple AuthenticationHandler beans. For my setup, I have a local file (for monitoring users from Munin/Nagios) authentication handler and a BindLdapAuthenticationHandler:

<property name="authenticationHandlers">
    <list>
        <!-- This is the authentication handler that authenticates 
        services by means of callback via SSL, thereby validating 
        a server side SSL certificate. -->
        <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" />
        <bean class="org.jasig.cas.adaptors.generic.FileAuthenticationHandler" p:fileName="${cas.localuser.file}" />
        <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
            p:timeout="10000"
            p:filter="${ldap.auth.filter}"
            p:searchBase="${ldap.base.dn}"
            p:ignorePartialResultException="true"
            p:contextSource-ref="contextSource"
            p:searchContextSource-ref="searchContextSource"
        />
    </list>
</property>

Just add more authentication handlers for the other things you want to authenticate against. Check out https://wiki.jasig.org/display/CASUM/LDAP for the CAS LDAP handlers and https://wiki.jasig.org/display/CASUM/Active+Directory for the CAS Active Directory handlers.

The way it works, CAS will try to authenticate against each handler in order. The first one that succeeds results in a successful CAS login. So if you have a record in LDAP with uid=jsmith and a record in AD with cn=jsmith and they both have the same password, whichever one is defined first in CAS will always win! You should thus make sure that you have no login ID collisions between your systems, or you may open yourself up to some undesirable side effects (especially if jsmith in LDAP is not the same person as jsmith in AD).

If you use SAML validation (such as for mod_auth_cas) you may have other considerations as well. You can define an attributeRepository bean which lists the properties to return from a person's record when they authenticate and the service validates the ticket using /samlValidate. I don't know if there's a bean class available that will let you pull from multiple directories, but if you aren't using samlValidate this may not be an issue for you anyway.

So is there a better way possible? Well, if it's possible, collapse down to one source of authentication truth.

Regarding CAS federation: no. You may be able to set up the servers such that they trust each other's tickets, but instead I would recommend using one CAS environment (which could be clustered if you want) authenticating against as few sources of authentication truth as possible.