5/13/14 Apereo Miami 2014 1

How to CASify PeopleSoft, and integrating CAS and ADFS

Byran Wooten: bryan.wooten@utah.eduJohn Gasper: jgasper@unicon.net Misagh Moayyed: mmoayyed@unicon.net

5/13/14 Apereo Miami 2014 2

•We will cover the integration and configuration points to easily CASify PeopleSoft with minimal custom.

•We will also review several options for integrating your CAS Server with Microsoft's ADFS Server. This is particularly helpful if you are an Office 365 customer or you have client applications that utilized Windows Identity Foundation (WIF) and want to integrate the SSO experience.

This Session

5/13/14

Utah: Bryan Wooten•28 years; software engineer/systems administrator•3 years; University of Utah's IDM team•Emphasis on integrating CAS with commercial/cloud systems

5/13/14

Unicon: John Gasper, Misagh Moayyed•Members of IAM practice at Unicon•Emphasis on CAS, Shibboleth, Grouper, etc•Provide commercial support through OSS program

5/13/14 5Apereo Miami 2014

How to ify

5/13/14 Apereo Miami 2014 6

ObjectiveCASify Peoplesoft web application via the Java CAS client

•Populate REMOTE_USER with CAS principal id

•Peoplecode function to authenticate Request.RemoteUser into Peoplesoft

5/13/14 Apereo Miami 2014 7

1.Add CAS filters to the Weblogic web.xml

2.Add logic to Signon PeopleCode (FUNCLIBLDAP)

3.Configure Signon PeopleCode

Only 3 steps are required.So, it really is easy!

5/13/14 Apereo Miami 2014 8

•Add CAS Filters to web.xml in this location:/<peoplesoft-webapp-directory>/PORTAL/WEB-INF

•Don’t forget to add the CAS client jar to the classpath:/<peoplesoft-webapp-directory>/PORTAL/WEB-INF/lib/cas-client-core-3.3.1.jar

You may need to add the CAS Certificate to the •Peoplesoft keystore:/ps/pltest/weblogic/jdk150/jre/lib/security/cacerts

Step 1

5/13/14 Apereo Miami 2014 9

5/13/14 Apereo Miami 2014 10

Step 2:Modify Signon PeopleCodeCAS_AUTHENTICATION()

5/13/14 Apereo Miami 2014 11

•A default “guest” user must be created with the most basic permissions to be attached to the CAS Web Profile. (Allow Public Users = Checked)

•CAS_AUTHENTICATION needs be enabled through signon peoplecode. The function uses the remote user in the request headers as a authenticated user and retrieves the appropriate distinguished name from the directory.

•Valid user role that has the necessary permissions required to execute and invoke the Peoplecode function.

•The profile must be activated in PeopleSoft under the WebProfile setting, inside the configuration.properties 

•If all goes well, &global_DN is set and setAuthenticationResult() sets the user context to the correct userID.

Peoplesoft WebProfile

5/13/14 Apereo Miami 2014 12

Function CAS_AUTHENTICATION() &logger = initLogger(); &logger.info("CAS_AUTHENTICATION ============ Start of CAS_AUTHENTICATION ============= (" | %SignonUserId | ")"); printRequestHeaders(); If &bConfigRead = False Then getLDAPConfig(); End-If; &cas_result = %Request.RemoteUser; If &cas_result <> "" Then /* User is authenticated, log them into PeopleSoft */ &logger.info(" CAS_AUTHENTICATION - " | "Remote user = " | &cas_result | " logged in by CAS_AUTHENTICATION"); SetAuthenticationResult( True, Upper(&cas_result), "", False); &authMethod = "CAS"; &CAS_userid = &cas_result; &sql_PSOPRDEFN = CreateSQL("Select FAILEDLOGINS from PSOPRDEFN where OPRID=:1", Upper(&cas_result)); &ret = &sql_PSOPRDEFN.Fetch(&failedLogin); If (&failedLogin <> 0) Then SQLExec("update PSOPRDEFN set FAILEDLOGINS=0 where OPRID=:1", Upper(&cas_result)); End-If;

CAS_AUTHENTICATION()

5/13/14 Apereo Miami 2014 13

/* set &global_DN for profilesync */ For &J1 = 1 To &authMaps.Len &DNs = CreateArrayRept("", 0); If (idToDN(&cas_result, &DNs, &authMaps [&J1])) Then For &I1 = 1 To &DNs.Len /* Take the first DN found as the &global_DN */ &global_DN = &DNs [&I1]; &idxAuthMap = &J1; /** &global_DN = "unid=" | &cas_result | ",ou=people,o=utah.edu"; **/ &logger.info("CAS_AUTHENTICATION - ***** &authMethod = CAS ***** ===== (" | &cas_result | ")/" | &global_DN | "/" | &authMaps [&J1].getAuthMapID()); Return; End-For; End-If; End-For; End-If; &logger.info("CAS_AUTHENTICATION - Did not authenticate by CAS_AUTHENTICATION (" | %SignonUserId | ")");End-Function;

5/13/14 Apereo Miami 2014 14

Step 3Configure Signon Peoplecode

Note: “Invoke As” fields must be set to the credentials of the user created inside the web profile to execute the peoplecode function. Ensure that both LDAP authentication and profile sync are turned on, and “Exec Auth Fail” is checked for both.

5/13/14 Apereo Miami 2014 15

In the WebProfile, specify a new signout.html for signout

•Place the file at /<peoplesoft-directory>/PORTAL.war/WEB-INF/psftdocs/CS89PS

•Edit the file:

Signout

5/13/14 Apereo Miami 2014 16

•Ensure CAS_AUTHENTICATION() function logs activity to file

•Test webprofile using cmd=start:https://sys.peoplesoft.edu:8703/psp/CS89PS/?cmd=start&languageCd=ENG

Log into peoplesoft using the account configured to invoke•CAS_AUTHENTICATION()

•Almost ALL changes require a PeopleSoft web application restart

Tips & Suggestions

5/13/14 Apereo Miami 2014 17

•Deep linking vs. Peoplesoft “caching”

•Peoplesoft vs. CAS account mapping

•Single signout

Issues & Troubleshooting

5/13/14 Apereo Miami 2014 18

•Microsoft ADFS is yet another SSO environment that competes in the same spaces as CAS and Shibboleth.•Why would you integrated ADFS with CAS?

l Office 365?l Previously developed ASP.NET/Windows

Identity Foundation apps that utilize an STS, like ADFS.

Integrating CAS and Microsoft ADFS

5/13/14 Apereo Miami 2014 19

•CAS as an RP: Fronting CAS with ADFS•CASifying ADFS: Front ADFS with CAS•ADFS as an SP: Front ADFS with CAS*

Integrating CAS and Microsoft ADFS

5/13/14 Apereo Miami 2014 20

Front CAS with ADFS

5/13/14 Apereo Miami 2014 21

Front CAS with ADFS

5/13/14 Apereo Miami 2014 22

Front CAS with ADFSpom.xml

<!-- ADFS Integration --><dependency>

<groupId>net.unicon.cas</groupId><artifactId>cas-server-support-

wsfederation</artifactId><version>1.0.0-SNAPSHOT</version><scope>compile</scope>

</dependency>

5/13/14 Apereo Miami 2014 23

Front CAS with ADFSspring-config/wsfederation.xml

<bean id="wsFedConfig" class="net.unicon.cas.support.wsfederation.WsFederationConfiguration"> <property name="identityProviderIdentifier" value="http://adfs.example.org/adfs/services/trust" /> <property name="identityProviderUrl" value="https://adfs.example.org/adfs/ls/" /> <property name="identityAttribute" value="upn" /> <property name="relyingPartyIdentifier" value="urn:federation:cas" /> <property name="tolerance" value="60000" /> <property name="attributeMutator"> <bean class="org.example.cas.support.wsfederation.WsFedAttributeMutatorImpl" /> </property> <property name="signingCertificateFiles"> <list> <value>file:/etc/cas/signing.cer</value> </list> </property></bean>

5/13/14 Apereo Miami 2014 24

Front CAS with ADFSlogin-webflow.xml

<action-state id="wsFederationAction"> <evaluate expression="wsFederationAction" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="ticketGrantingTicketExistsCheck" /></action-state><view-state id="WsFederationRedirect" view="externalRedirect:${WsFederationIdentityProviderUrl}"/>

5/13/14 Apereo Miami 2014 25

Front CAS with ADFS

5/13/14 Apereo Miami 2014 26

Front CAS with ADFS

5/13/14 Apereo Miami 2014 27

Front CAS with ADFS

5/13/14 Apereo Miami 2014 28

Front CAS with ADFSAttribute Mutator: clean-up or map your attributes coming from ADFS, but before they are released.attributes.put("upn", attributes.get("upn").toString().replace("@example.org", ""));

attributeMapping(attributes, "surname", "LastName");attributeMapping(attributes, "givenname", "FirstName");attributeMapping(attributes, "Group", "Groups");attributeMapping(attributes, "employeeNumber", "UDC_IDENTIFIER");

5/13/14 Apereo Miami 2014 29

CASifying ADFSUtilizes .NET CAS Client and ClearPass:1) Drop in the DotNetCasClient.dll (v1.0.1).2) Configure web.config.3) Add code to FormsSignIn.aspx.cs.

5/13/14 Apereo Miami 2014 30

CASifying ADFSUtilizes .NET CAS Client and ClearPass:Username=Page.User.Identity.Name;proxyTicket = CasAuthentication.GetProxyTicketIdFor(ClearPassUrl);clearPassRequest = ClearPassUrl + "?" + ArtifactParameterName + "=" + proxyTicket + "&" + ServiceParameterName + "=" + ClearPassUrl;Password = XmlUtils.GetTextForElement(clearPassResponse, "cas:credentials");SignIn(Username, Password);

5/13/14 Apereo Miami 2014 31

CASifying ADFSThis may or may not work on ADFS on Windows Server 2012 R2.

The .cs files are embedded in C:\Windows\adfs\Microsoft.IdentityServer.Web.dll

Visual Studio should allow you to alter the files.

5/13/14 Apereo Miami 2014 32

ADFS as an SPTheoretically, we can use CAS's Google Apps/SAML 2.0 support to connect to ADFS.

Pros: No significant mods to ADFS or CAS.

Let me know if you are interested in collaborating on this.

https://github.com/unicon/cas-adfs-integration