Isaac,
I will check this out! Haven't looked at Shibolleth yet, but it is on the
radar as well...
Johan
----- Original Message -----
From: "Isaac Davis-King" <[email protected]>
To: <[email protected]>
Sent: Wednesday, February 25, 2009 4:56 PM
Subject: Re: [cas-user] newbie question: Google Apps, MS-AD and other
attribute
Johan,
As the person who started the original thread you linked to, here is how
we resolved the issue. For the sake of setting up the demo, I found the
simplest solution was to use simplesamlphp
(http://rnd.feide.no/simplesamlphp) as an intermediary to
handle the SAML between CAS and Google Apps. For someone familiar with
PHP, I found it relatively easy to configure simplesaml to use CAS for
authentication, and then connect to Google.
Currently we have replaced simplesaml with Shibboleth to handle the SAML.
Shibboleth is not nearly as easy as simplesaml to configure, but once we
had it up and running it was pretty easy to swap between the two.
## Isaac Davis-King
## Web Programming Specialist
## California State University, Monterey Bay
[email protected] writes:
All,
We are implementing a demo CAS environment, to see how it would work
serving as an SSO platform for our web apps.
We are traditionally a Asp/Asp.net windows environment, with additional
experience in unix/linux with php and perl, but learning java (hopefully)
as we go...
So far, we have a basic setup working, talking to MS Active Directory as
the account store, using the Fastbind example in the wiki ([
http://www.ja-sig.org/wiki/display/CASUM/Active+Directory
]http://www.ja-sig.org/wiki/display/CASUM/Active+Directory). We have a
drupal install authenticating to it as quick test app that talks CAS.
Now, we are trying to get this working with GoogleApps, and we have
created a test domain at GApps for that. Integration works, but is using
the username of the object (sAMAccountName attribute in AD terms)
What we will need is to use the email address, as stored in the "mail"
attribute. Digging around the maillist archives, it looks like this is
possible
([
http://www.nabble.com/Adding-data-to-SAML-response-(was-Passing-Google-apps-alternate-username)-to19446161.html#a19446161 ]
http://www.nabble.com/Adding-data-to-SAML-response-(was-Passing-Google-apps-alternate-username)-to19446161.html#a19446161).
Looking at CAS3.3.1 source, in
cas-server-core/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java
we see in line 163/164
samlResponse = samlResponse.replace("<USERNAME_STRING>", getPrincipal()
.getId());
This seems to be the code that assigns the username to the SAML response,
but we have no idea how to go from here :-( (ie how to get it to read the
mail attribute and assign it here.)
Any suggestions would be much appreciated.
For completeness, this is runnin on CentOS5.2, Tomcat 6.0.18, CAS-Server
3.3.1
Thanks in advance!
Johan Reinalda
Thunderbird School of Global Management
Glendale, AZ, USA
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
