Jasig CAS authentication and users with periods in the id

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Jasig CAS authentication and users with periods in the id

Mark Sack
I have successfully configured our xwiki site to use LDAP authentication against Active Directory. The convention for the user IDs in our Active Directory is to use a period to separate the given name and surname as in mark.sack. I added the LDAPProfileClass object to the user profiles to map the Active Directory IDs to the internal wiki ones. I had created the users before implementing the Active Directory authentication with the convention of an underscore in between the given name and the surname.

Now I would like to implement a single signon solution for all of our applications and have set up a CAS server to authenticate against Active Directory. The authentication works fine but the CAS authentication in xwiki seems to simply strip out the period in the Active Directory ID instead of mapping to the existing user. I observed the following behaviour:
- in xwiki.cfg, if I set xwiki.authentication.cas.create_user to 1 and login as mark.sack (with my Active Directory password), the login is successful. But xwiki creates a new user with id marksack instead of mapping to the existing mark_sack user (mark_sack has the LDAPProfileClass set to mark.sack).
- in xwiki.cfg, if I set xwiki.authentication.cas.create_user to 0 and login as mark.sack, the login fails with a message that to the effect that the user does not exist.

How could I achieve the mapping of xwiki users to Active Directory for CAS authentication?

Our system is relatively small (about 40 users so far) and has not yet really been rolled out to the user community. So if need be, I could create new xwiki users following the convention required by xwiki (no character between the given name and surname). But I would prefr to avoid that if I can.
Reply | Threaded
Open this post in threaded view
|

Re: Jasig CAS authentication and users with periods in the id

Thomas Mortagne
Administrator
On Mon, Mar 28, 2016 at 3:53 PM, Mark Sack <[hidden email]> wrote:

> I have successfully configured our xwiki site to use LDAP authentication
> against Active Directory. The convention for the user IDs in our Active
> Directory is to use a period to separate the given name and surname as in
> mark.sack. I added the LDAPProfileClass object to the user profiles to map
> the Active Directory IDs to the internal wiki ones. I had created the users
> before implementing the Active Directory authentication with the convention
> of an underscore in between the given name and the surname.
>
> Now I would like to implement a single signon solution for all of our
> applications and have set up a CAS server to authenticate against Active
> Directory. The authentication works fine but the CAS authentication in xwiki
> seems to simply strip out the period in the Active Directory ID instead of
> mapping to the existing user. I observed the following behaviour:
> - in xwiki.cfg, if I set xwiki.authentication.cas.create_user to 1 and login
> as mark.sack (with my Active Directory password), the login is successful.
> But xwiki creates a new user with id marksack instead of mapping to the
> existing mark_sack user (mark_sack has the LDAPProfileClass set to
> mark.sack).
> - in xwiki.cfg, if I set xwiki.authentication.cas.create_user to 0 and login
> as mark.sack, the login fails with a message that to the effect that the
> user does not exist.
>
> How could I achieve the mapping of xwiki users to Active Directory for CAS
> authentication?

You did not say which authenticator you are using with CAS. If its
AppServerTrustedAuthServiceImpl then you should try
http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Trusted+LDAP
instead.

>
> Our system is relatively small (about 40 users so far) and has not yet
> really been rolled out to the user community. So if need be, I could create
> new xwiki users following the convention required by xwiki (no character
> between the given name and surname). But I would prefr to avoid that if I
> can.
>
>
>
> --
> View this message in context: http://xwiki.475771.n2.nabble.com/Jasig-CAS-authentication-and-users-with-periods-in-the-id-tp7598674.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Jasig CAS authentication and users with periods in the id

Mark Sack
Thanks for the suggestion. Unfortunately, it looks like I will need a lot more hand holding to figure out whether or not I can use the trusted ldap authenticator as you suggest.

1. I found the following comment in xwiki.cfg
    #-# Used by some authenticators (like com.xpn.xwiki.user.impl.xwiki.AppServerTrustedAuthServiceImpl)
    But I didn't find that the string anywhere else in the files in WEB-INF. So I'm not sure if I'm using that particular
    authenticator. Is it the default? How does one select a specific authenticator?

2. In the readme for the extension https://github.com/xwiki-contrib/xwiki-authenticator-trusted-ldap/blob/master/README.md
    the configuration examples all seem to refer to authentication using LDAP (and the name of the extension implies that
    it is intended for LDAP). But in my configuration, xwiki isn't talking to LDAP - it is instead talking to a CAS server which
    in turn talks to Active Directory (using the LDAP protocol). As a consequence, LDAP authentication is disabled in
    xwiki.cfg. Instead my xwiki.cfg file has the following line:
         xwiki.authentication.authclass=org.xwiki.contrib.authentication.cas.XWikiCASAuthenticator
    Is it true that this extension can be used for CAS authentication as well as LDAP?

3. The extension appears to rely on regexp for transformation/translation of the user ID. I inadvertently omitted one detail
    from my description of the problem. The mapping from LDAP/CAS user ID to xwiki ID is not as simple as replacing a
    period with an underscore. Here, people sometimes have multiple surnames or use a second given name in
    to a surname. As an example, my name might be 'Mark Thomas Jones Sack'. And in xwiki I might have created a
    user with the ID 'mark_sack'. But in Active Directory, the ID might be 'mark.thomas' or 'mark.jones'. For a mapping
    such as this from 'mark.jones' to 'mark_sack', I think I would need a separate field (like LDAPProfileClass provides)
    instead of just a regexp expression.

Regards
Mark
Reply | Threaded
Open this post in threaded view
|

Re: Jasig CAS authentication and users with periods in the id

Thomas Mortagne
Administrator
On Tue, Mar 29, 2016 at 2:13 PM, Mark Sack <[hidden email]> wrote:

> Thanks for the suggestion. Unfortunately, it looks like I will need a lot
> more hand holding to figure out whether or not I can use the trusted ldap
> authenticator as you suggest.
>
> 1. I found the following comment in xwiki.cfg
>     #-# Used by some authenticators (like
> com.xpn.xwiki.user.impl.xwiki.AppServerTrustedAuthServiceImpl)
>     But I didn't find that the string anywhere else in the files in WEB-INF.
> So I'm not sure if I'm using that particular
>     authenticator. Is it the default? How does one select a specific
> authenticator?

I don't understand, XWiki don't magically see it's behind CAS and talk
to it. By default you just have standard XWiki login form.

You must have indicated a custom authenticator in xwiki.cfg with the
property xwiki.authentication.authclass to have SSO working. See
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HContainerAuthentication
for more details.

>
> 2. In the readme for the extension
> https://github.com/xwiki-contrib/xwiki-authenticator-trusted-ldap/blob/master/README.md
>     the configuration examples all seem to refer to authentication using
> LDAP (and the name of the extension implies that
>     it is intended for LDAP). But in my configuration, xwiki isn't talking
> to LDAP - it is instead talking to a CAS server which
>     in turn talks to Active Directory (using the LDAP protocol). As a
> consequence, LDAP authentication is disabled in
>     xwiki.cfg. Instead my xwiki.cfg file has the following line:
>
> xwiki.authentication.authclass=org.xwiki.contrib.authentication.cas.XWikiCASAuthenticator
>     Is it true that this extension can be used for CAS authentication as
> well as LDAP?

As explained in
https://github.com/xwiki-contrib/xwiki-authenticator-trusted-ldap/blob/master/README.md
this authenticator trust the application server and then only get more
information from LDAP. It does no authenticate itself but it do know
about LDAPProfileClass object, user synchronization and membership
synchronization, etc. If you want to reuse LDAPProfileClass object you
don't really have much choice since other non LDAP related
authenticators have absolutely no idea what is this object and won't
look at it.

Another possibility is to use
http://extensions.xwiki.org/xwiki/bin/view/Extension/Authenticator+Jasig+CAS
which seems to be designed for CAS but I can't tell you how well it's
working (and I doubt it reuses LDAPProfileClass).

>
> 3. The extension appears to rely on regexp for transformation/translation of
> the user ID. I inadvertently omitted one detail
>     from my description of the problem. The mapping from LDAP/CAS user ID to
> xwiki ID is not as simple as replacing a
>     period with an underscore. Here, people sometimes have multiple surnames
> or use a second given name in
>     to a surname. As an example, my name might be 'Mark Thomas Jones Sack'.
> And in xwiki I might have created a
>     user with the ID 'mark_sack'. But in Active Directory, the ID might be
> 'mark.thomas' or 'mark.jones'. For a mapping
>     such as this from 'mark.jones' to 'mark_sack', I think I would need a
> separate field (like LDAPProfileClass provides)
>     instead of just a regexp expression.

CAS itself must have a way to map its id to LDAP entry as otherwise I
don't see how it would work. There is most probably some rule you can
come up with to find what CAS gives you on LDAP side.

Anyway you should probably try first with
http://extensions.xwiki.org/xwiki/bin/view/Extension/Authenticator+Jasig+CAS
which is probably more optimized than a trusted+LDAP authenticator for
your use case.

>
> Regards
> Mark
>
>
>
> --
> View this message in context: http://xwiki.475771.n2.nabble.com/Jasig-CAS-authentication-and-users-with-periods-in-the-id-tp7598674p7598689.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Jasig CAS authentication and users with periods in the id

Mark Sack
My bad. I am indeed using the extension
http://extensions.xwiki.org/xwiki/bin/view/Extension/Authenticator+Jasig+CAS
I just assumed this extension would be the only choice for CAS authentication. So I didn't explicitly mention it.

The CAS server has its own login page (at least in the Ruby implementation that I am using). That server takes the ID and password entered on the login page and passes it through to whatever service(s) (LDAP, database, etc.) it is configured to authenticate against. The real value of CAS is that it remembers the user's login status and doesn't ask the user to re-authenticate if he wants to log in to to a different app but already has a status of logged in. Since CAS is intended to handle login requests from multiple applications, it isn't really the right place to do a mapping of user IDs such as that required specifically by xwiki.

I'll continue to poke around for alternatives but it appears that, since my programming skills aren't very deep, I'll need to fall back to recreating the users.

In the long term, I can see two alternative enhancements to prevent users from getting into this predicament:
- remove the restriction that xwiki user IDs cannot contain periods (which I understand from previous posts is difficult and not on the list of priorities)
- enhance the xwiki Jasig CAS extension to provide a mapping capability similar to that of LDAPProfileClass (this would depend on the maintainer of the extension, I suppose).

All of this is just my two cents worth. I can understand why fixing this issue would not be a high priority since, in any system with a large number of users, the users would not be created manually as I have done. I also have the option of setting the system to create users when they first log in, thus avoiding the problem when adding new users in future. (For now, I need the database nicely populated to demonstrate its utility to the user community and can't rely on them all logging in first.)

Thanks for your help in investigating the issue.

Regards
Mark
Reply | Threaded
Open this post in threaded view
|

Re: Jasig CAS authentication and users with periods in the id

Thomas Mortagne
Administrator
On Tue, Mar 29, 2016 at 4:12 PM, Mark Sack <[hidden email]> wrote:

> My bad. I am indeed using the extension
> http://extensions.xwiki.org/xwiki/bin/view/Extension/Authenticator+Jasig+CAS
> <http://extensions.xwiki.org/xwiki/bin/view/Extension/Authenticator+Jasig+CAS>
> I just assumed this extension would be the only choice for CAS
> authentication. So I didn't explicitly mention it.
>
> The CAS server has its own login page (at least in the Ruby implementation
> that I am using). That server takes the ID and password entered on the login
> page and passes it through to whatever service(s) (LDAP, database, etc.) it
> is configured to authenticate against. The real value of CAS is that it
> remembers the user's login status and doesn't ask the user to
> re-authenticate if he wants to log in to to a different app but already has
> a status of logged in. Since CAS is intended to handle login requests from
> multiple applications, it isn't really the right place to do a mapping of
> user IDs such as that required specifically by xwiki.
>
> I'll continue to poke around for alternatives but it appears that, since my
> programming skills aren't very deep, I'll need to fall back to recreating
> the users.
>
> In the long term, I can see two alternative enhancements to prevent users
> from getting into this predicament:

> - remove the restriction that xwiki user IDs cannot contain periods (which I
> understand from previous posts is difficult and not on the list of
> priorities)

The last blockers for this are http://jira.xwiki.org/browse/XWIKI-5149
and http://jira.xwiki.org/browse/XWIKI-5174 as far as I remember but
yes nobody is actively working on it..

> - enhance the xwiki Jasig CAS extension to provide a mapping capability
> similar to that of LDAPProfileClass (this would depend on the maintainer of
> the extension, I suppose).

You could create an improvement or new feature issue for this on
http://jira.xwiki.org/browse/AUTHCAS to keep track of it since it will
probably get lost in the mailing list.

>
> All of this is just my two cents worth. I can understand why fixing this
> issue would not be a high priority since, in any system with a large number
> of users, the users would not be created manually as I have done. I also
> have the option of setting the system to create users when they first log
> in, thus avoiding the problem when adding new users in future. (For now, I
> need the database nicely populated to demonstrate its utility to the user
> community and can't rely on them all logging in first.)
>
> Thanks for your help in investigating the issue.
>
> Regards
> Mark
>
>
>
> --
> View this message in context: http://xwiki.475771.n2.nabble.com/Jasig-CAS-authentication-and-users-with-periods-in-the-id-tp7598674p7598696.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Jasig CAS authentication and users with periods in the id

Mark Sack