JASIG CAS jira+confluence sso

1
votes

I have three different tomcat instance. Tomcat with cas server localhost:8050 Tomcat with Jira 4.3 localhost:8080 and, finally tomcat with confluence 3.5 localhost:8070

I need to implement SSO(jira + confluence) via cas server, which connected to LDAP.

Ok, im use cas client for jira and Confluence like this https://wiki.jasig.org/display/CASC/Configuring+Confluence+with+JASIG+CAS+Client+for+Java+3.1

Now both jira and confluence correctly redirect me to Cas login page and authtorize in ldap server, thats work almost fine(have some bugs with confluence logout), but this is not SSO. If i logged in jira i still need to enter my cretentials for confluence and vice verca. I think its happend because diferent tomcat installation. When im logging in jira Cas give me a ticket for service http://localhost:8080 and another ticket for confluence(http://localhost:8070). Im really stuck with this stupid problem, and im hope somebody can direct me on right way.

My configs: Jira. Seraph-config.xml

 <init-param>
            <param-name>login.url</param-name>
            <param-value>http://localhost:8050/cas-server-webapp-3.4.8/login?service=${originalurl}</param-value>
         </init-param>
        <init-param>
             <param-name>link.login.url</param-name>
            <param-value>http://localhost:8050/cas-server-webapp-3.4.8/login?service=${originalurl}                      </param-value>
         </init-param>
        <init-param>
            <param-name>logout.url</param-name>
            <param-value>http://localhost:8050/cas-server-webapp-3.4.8/logout</param-value>
      </init-param>

Web xml:

<filter>
   <filter-name>CasSingleSignOutFilter</filter-name>
   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
  <filter-name>CasAuthenticationFilter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>http://localhost:8050/cas-server-webapp-3.4.8/login</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://localhost:8080</param-value>
  </init-param>
</filter>
<filter>
    <filter-name>CasValidationFilter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>http://localhost:8050/cas-server-webapp-3.4.8/</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>http://localhost:8080</param-value>
    </init-param>
    <init-param>
        <param-name>redirectAfterValidation</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>

<filter-mapping>
   <filter-name>CasSingleSignOutFilter</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>CasAuthenticationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>CasValidationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
    <listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>

for confluence:

seraph-config.xml :

<init-param>
        <param-name>login.url</param-name>
        <param-value>http://localhost:8050/cas-server-webapp-3.4.8/login?service=${originalurl}</param-value>
    </init-param>
    <init-param>
        <param-name>link.login.url</param-name>
        <param-value>http://localhost:8050/cas-server-webapp-3.4.8/login?service=${originalurl}</param-value>
    </init-param>

web.xml:

<filter>
   <filter-name>CasSingleSignOutFilter</filter-name>
   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
  <filter-name>CasAuthenticationFilter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>http://localhost:8050/cas-server-webapp-3.4.8/login</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://localhost:8070</param-value>
  </init-param>
</filter>
<filter>
    <filter-name>CasValidationFilter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>http://localhost:8050/cas-server-webapp-3.4.8/</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>http://localhost:8070</param-value>
    </init-param>
    <init-param>
        <param-name>redirectAfterValidation</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>
<filter-mapping>
   <filter-name>CasSingleSignOutFilter</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>CasAuthenticationFilter</filter-name>
    <url-pattern>/login.action</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>CasValidationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
    <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
    </listener>
1
single-sign-onjiracasconfluence
I have Confluence & JIRA running from different Tomcat instances (same host, different ports) -- both Development and Production -- and our CAS SSO works.OMG Ponies
OMG Ponies. Thx, i edited my post :). Can you share your configs ? Which version of jira you use?Ilya
We're running 4.2.3 in prod. Been testing 4.3.4, with the 3.2.1 client but delegating Jira to manage Confluence users fails with a SAXException.OMG Ponies
I had a look -- we don't do the login.url/link.login.url customization, for JIRA or Confluence.OMG Ponies

1 Answers

0
votes

I notice above that your service is dynamic: service=${originalurl}

I think that for SSO to work you have to use the each website has to call CAS using the same service so that the TGT on the CAS server knows who is calling. Otherwise, I think you have to investigate Proxy Granting Tickets:

https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough

Which I understand are a means of a service saying the equivilent of "it's ok, that other service is my friend".