Integrate Liferay with CAS server.

Central Authentication Service (CAS) server is a single sign on (SSO) protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password.

CAS was conceived and developed by Shawn Bayern of Yale University Technology and Planning. In December 2004, CAS became a project of the Java Architectures Special Interest Group, which is as of 2008 responsible for its maintenance and development. Formerly called "Yale CAS", CAS is now also known as "JA-SIG CAS". In oder to implement SSO with Liferay, I used the CAS server.

Following steps gives all the steps that I followed implemennting SSO in Liferay. I used Liferay (liferay-portal-tomcat-6.0-5.2.3), CAS Server (cas-server-3.3.5-release) and CAS client (cas-client-2.0.11).

Setting up CAS server:

• Download the CAS server from http://www.ja-sig.org/downloads/cas/
  
• Rename the cas-server-3.3.5\modules\cas-server-webapp-3.3.5.war to cas-web.war.
• Drop the cas-web.war file into Tomcat's webapps directroy. (For testing purposes I used the Liferay's tomcat but in a production environment CAS servershould really run on its own tomcat instance.
• Then edit the server.xml file in tomcat and uncomment the SSL section to open up port 8443 as shown below.

Setting up the CAS client:

• Download the CAS client from http://www.ja-sig.org/downloads/cas-clients/
• Place the casclient.jar in cas-client-2.0.11\java\lib to ROOT/web-inf/lib of the Liferay install.

Generate the SSL cert with Java keytool:

• In any directory ( I use my root ) enter the command:

keytool -genkey -alias tomcat -keypass changeit -keyalg RSA

• Answer the questions as shown in the image: (note that your firstname and lastname MUST be hostname of your server and cannot be a IP address; this is very important as an IP address will fail client hostname verification even if it is correct)

• Then enter the command:

keytool -export -alias tomcat -keypass changeit -file %FILE_NAME%

I use server.cert for %FILE_NAME%.

• Finally import the cert into Java's keystore with this command.

keytool -import -alias tomcat -file %FILE_NAME% -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts

• Startup the CAS server by startup.bat in the bin folder.
• Now you are ready to startup your CAS server. Simply startup Tomcat and access CAS with https://localhost:8443/cas-web/login You should see the CAS login screen and no errors in your catalina logs.
  

Setting up Liferay Portal:

• Remove the sevencogs theme and the sample data by deleting the two sevencogs folders at the liferay-portal-5.2.3\ tomcat-6.0.18\webapps folder and by deleting the lportal.properties and lportal.script files at the liferay-portal-5.2.2\data\hsql folder.
• Now if you run the liferay you should be able to login to portal by
  

E-mail: test@liferay.com
Password: test

• In the webapps/ROOT/WEB-INF/web.xml file add a new filter as shown below(add it as the first filter).
• Then add the filter mapping directly above the first existing filter mapping as shown below.
  • 
• Then add the following to the rest of the auto login filters.(Just after the last existing auto login filter)
• Now Start up the Liferay and Go to sign in.
• It will redirect you you CAS login page.
  
• Then Enter the
  

NetID = test
Password = test

• Then you will returned back to the Liferay home page as logged in user test.
  

SSO in Liferay

Single Sign On(SSO) is the feature which allows the user to log in to the portal once and access all the portlets according to his permissions, with out sign in again for different portlets. In order to set up SSO between Liferay portal and the existing portlets, I decided to integrate Liferay web portal with the JA-SIG CAS (Central Authentication Service) Server. First I read articles and research papers about the SSO and got an understanding about what is actually meant by SSO and how it works with Web Portals. Then I clearly identified the procedure of SSO and the following diagram illustrates it.



After that I read about how to install CAS server. In order to do that I downloaded CAS Server and I installed Tomcat Server. After setting up CAS server in the Tomcat installed CAS client in Liferay. After that I generate an SSL cert for the CAS server. Finally I did all the configurations on Liferay portal in order to work with Liferay.

LDAP Authentication and Single Sign On(SSO)

When implementing my Workflow Management System, I have to implement Single Sign On. Following are the facts I gathered about SSO and LDAP during my research.

• SSO is the ability for a user to enter the same id and password to logon to multiple applications within an enterprise.
• Single sign on benefits are:

• Ability to enforce uniform enterprise authentication and/or authorization policies across the enterprise
• End to end user audit sessions to improve security reporting and auditing
• Removes application developers from having to understand and implement identity security in their applications
• Usually results in significant password help desk cost savings
  

• Since the internet is stateless, this means that the single sign on software must check every request by the user's browser to see if there is an authentication policy pertaining to the resource or application the user is trying to access.
• In a medium to large enterprise, this means that every time the user clicks on a different URL, there is traffic between the user's browser, the web or application servers and the security server.
• Therefore, most modern single sign on systems use LDAP (Lightweight Directory Access Protocol) directories to store the authentication and authorization policie

• The LDAP directories are made for high performance lookups thus addressing the high traffic load.
• Further, the LDAP directories are often the source for the single sign on system to authenticate against.

• The above are the reasons why LDAP directories and authentication have taken on such a dominant role in enterprise authentication. LDAP directories offer the following features:

• They are very quick for doing identity reads against as compared to traditional databases
• They are low cost - in fact some LDAP directories are available for free
• Virtual LDAP directories enable quick linkage between multiple databases and multiple LDAP directories
• LDAP directories are excellent for doing rapid LDAP authentication against for any digitized authentication
• LDAP directories have a universal protocol enabling quick interaction and exchange of identity information between enterprises
• LDAP directories can be easily partitioned to place the directory close to the end user, thus improving performance and reducing network load

Single Sign On (SSO) systems mostly use LDAP authentication. The enterprise user logs on in the morning and sees normally a form based enterprise login screen. The user enters in their id and password. The SSO software then takes the information and sends it to the security server using an encrypted connection. The security server in turn then logs on to the LDAP server on behalf of the user by providing the LDAP server with the user's id and password. If successful, the security server then proceeds with any authorization and/or lets the user proceed to the application or resource they require.

LDAP Authentication Implementation

Often times a simple LDAP directory authentication project hits trouble. These can be because of:

• Poor authoritative sources
• Poor identity data
• No unique global id's
• Poor synchronization between the authoritative source and the LDAP directory
• Poor design of the LDAP and SSO authentication strength
• Poor design of the LDAP and SSO failover and disaster recovery