CAS SSO(Single sign-on)

Feedback


SSO introduction

In a sound GIS system, multiple GIS servers need to be deployed to work together, such as a system deployed with an  iPortal node, multiple iServer and multiple iEdge nodes. When accessing these GIS server nodes, users need to frequently switch the product's access website and log in with a different account. To solve the problem of frequently login actions and the difficulty to remember different accounts, we applied single sign-on (SSO) in our system. The SSO in here refers to the Web SSO.

Advantages of using SSO

When users are accessing a GIS server which applied SSO, first the received request will be forwarded  to the authentication server by the GIS server for user authentication. At this point, the user needs to enter his/her username and password, after the validation, he/her can continue to access the GIS services. When he/she go to access a different GIS server, the request will be forwarded to the authentication server, too. At this time, the authentication server finds the current user has been verified and will tell the GIS server, so the user can access the services successfully. During the process, the user only needs to login once to access all the GIS servers. And the authentication server only conducts the user authentication for once and accesses the user database for once.

If the system doesn't apply SSO, each time the user accesses a different GIS server, he/she needs to login. And each GIS server has its own user database, so each user authentication needs to read its own user database information.

Using SSO

Without using SSO

 

Advantages of SSO:

Configure to use CAS SSO

CAS (Central Authentication Service) is introduced by Yale University to build a Java open source project called Web SSO. iServer/iPortal/iEdge supports CAS based single sign-on. When users configure single sign-on, they need to set the CAS authentication server which is responsible for authenticating the user information. The authentication server can be deployed independently in the network environment. This section introduces how to configure the SSO in iServer/iPortal/iEdge for using. For the procedures of  installing and configuring the CAS, see: CAS installation and configuration.

Enable SSO

Log in to SuperMap iServer Manager, click Security>CAS Configuration, check Enabled option, then set the CAS attribute field and the CAS service address, click Save to make it work. Where:

Configure the association between CAS user attributes and iServer roles

iServer/iPortal/iEdge identifies different CAS user permissions through the association between the existing roles and the CAS user attributes. If a particular CAS user attribute is associated with an existing role of iServer, it means that the CAS user has the same permissions with the role.

The relationship between CAS attribute values and iServer/iPortal/iEdge existing roles is many to many. iServer built-in roles USER, PUBLISHER and ADMIN match the three CAS user attributes as cas_USER, cas_Publisher, cas_ADMIN respectively. If there are no these three attribute values in the specified association fields of CAS server, the association does not take effect.

Click on the "Add Attribute Role Configuration" button, users can add new CAS user attributes to associate it with existing roles of iServer.

Other optional configurations

If the login/logout address of CAS Server is different form the authentication address( for example: CAS Server runs in dual or multiple NIC, the login/logout address and authentication address use different IP), you need open shiro.ini file( locates in [SuperMap iServer installation directory]\webapps\iportal\WEB-INF) with text editor and add parameter-Realm.casLoginLogoutPrefix to configure the login/logout address as shown in the following bold codes:

casRealm.enabled = false

casRealm.reserveSystemAccount = true

casRealm.casServerUrlPrefix = http://{ip}:{port}/cas

casRealm.casLoginLogoutPrefix=http://{ip}:{port}/cas

...

Additional configurations for iPortal

For SuperMap iPortal, users can log in to iPortal home page with the CAS account only by associating the CAS user attribute with the ADMIN and PORTAL_USER roles. Or it will display a unregistered status.

After finishing the above configurations, the logged CAS users can only browse maps, services, etc., while cannot perform operations like creating maps, registering services. To make these operations available to user, additional configurations are required. Open shiro.ini file which locates in [SuperMap iPortal installation directory]\webapps\iportal\WEB-INF folder with a text editor, add casRealm.backRealm parameter for casRealm variable as shown in the following bold codes. After finishing the edit, restart iPortal service.

...

casRealm = com.supermap.iportal.security.IportalCasRealm

casRealm.attributeRuleMapping = iserver_att={cas_SYSTEM=[SYSTEM,ADMIN],cas_PUBLISHER=[PUBLISHER],cas_USER=[USER]}

...

usernamepasswordrealm = com.supermap.services.security.BuiltInTokenSupportedRealm

casRealm.backRealm = $usernamepasswordrealm

...

Note:

Log in with CAS accounts

After single sign-on is enabled, CAS user accounts can be used to access protected services or to log in Service Manager. If " Built-in Account Login" option is checked when configuring the SSO, the login interface is shown as below. Users can choose to use the existing user to log in, or click on the Log in as CAS to jump to the CAS user's login interface, then CAS users can log in. After successful authentication by the CAS server, users can access iServer services and CAS server associated GIS services of iServer and iEdge and iPortal.

If " the Built-in Account Login" option is not checked when enabling single sign-on, then accessing the protected services or service manager will jump directly to the login interface of CAS server.

SSO of iPortal needs to log in via "http://localhost:8090/iportal/services/security/login", not the homepage("http://localhost:8090/iportal/").

Note:

If the CAS authentication server and GIS server are not in a same computer, it may be a failure to login because of the system time differences. So you need to change the system time of the two computers, or adjust the fault-tolerant interval. The default time interval is 3 minutes. Edit the shiro.ini file (in WEB-INF). And modify the casRealm.tolerance parameter, as shown below:

...

casRealm.enabled = false

casRealm.reserveSystemAccount = true

casRealm.casServerUrlPrefix = http://{ip}:{port}/cas

casRealm.casService = http://{ip}:{port}/{contextPath}/shiro-cas

casRealm.securityInfoDAO = $sqliteRealm

casRealm.tolerance = 180000

...