Thursday, May 7, 2009

CAS Integrations with Google Apps

As a follow up to my previous posts of setting up a Central Authentication Server in your organization, and the associated documentation, I would also like to share with you the specific setup documentation I have written for setting up Google Apps with CAS.

As in the other documentation, the changes that need to be made to XML files are displayed here as images.

  • Google Apps - Single Sign On
    • These instructions have been taken from the CAS wiki at:
    • First you need generate public and private keys for CAS & Google to communicate. These steps should be done while in the /usr/local/tomcat/webapps/cas/WEB-INF/classes directory:
      1. root@cas:/usr/local/tomcat/webapps/cas/WEB-INF/classes# openssl genrsa -out private.key 1024
      2. root@cas:/usr/local/tomcat/webapps/cas/WEB-INF/classes# openssl rsa -pubout -in private.key -out public.key -inform PEM -outform DER
      3. root@cas:/usr/local/tomcat/webapps/cas/WEB-INF/classes# openssl pkcs8 -topk8 -inform PER -outform DER -nocrypt -in private.key -out private.p8
      4. root@cas:/usr/local/tomcat/webapps/cas/WEB-INF/classes# openssl req -new -x509 -key private.key -out x509.pem -days 365
    • Then you must add the following for CAS to recognize the Google SAML requests. This is in WEB-INF/spring-configuration/argumentExtractors/Configuration.xml

    • The final step is to setup the Google Apps Single Sign-On information. Necessary information is below, and you will also need the x509.pem file created earlier:
      • Check Enable Single Sign-on
      • Sign-in page URL: https://yourCasServer/login
      • Sign-out page URL: http://whateverServerYouWouldLike
      • Change password URL: http://whateverServerYouWouldLike
      • Verification Certificate: This is the x509.pem file
      • Check the use a domain specific issuer box.


Unknown said...

I work in online education, too. Good stuff.

Unknown said...

This helped a lot, thanks. The JA-SIG wiki article doesn't make it clear that the login/logout URLs are just your CAS login/logout URLs with no fancy modifications. They also didn't explain that you need to add a CAS service for