Business Analytics Administration : Business Analytics Security : Authentication with Single Sign-On Solutions : Configuration for the CAS SSO Solution
Configuration for the CAS SSO Solution
CAS uses tickets in requests that 'secured services' can use to validate the user is authenticated, as shown below:
When users access Business Analytics, if they have logged in with CAS, the request includes a service ticket unique to that user. Business Analytics validates this ticket to retrieve user ID information needed for authorization.
Business Analytics also obtains a proxy granting ticket from CAS to use if the user runs a mashable that is also secured by CAS. This proxy feature allows Business Analytics to send the mashable a proxy ticket that the mashable can use to authenticate the user.
If users access Business Analytics without first logging in with CAS, Business Analytics redirects users to the login page for CAS instead of the default Business Analytics login page.
To configure Business Analytics authentication using CAS, handle login redirects and enable CAS security profiles for mashables:
1. Enable HTTPS for communication between the Business Analytics Server and the CAS Server. You must:
a. Configure the application server hosting the Business Analytics Server to listen to separate ports for HTTP and for HTTPS. In addition, you must configure a certificate store for the application server.
See Configure HTTPS and Certficate Stores in the Application Server for instructions for Tomcat. If Business Analytics is deployed in another application server, see documentation for your application server for more information.
b. Obtain a certificate for the Business Analytics Server and add it to the certificate store.
If the CAS Server uses a self-signed certificate, you must also add this to the certificate store.
See The Certificate Store and Certificates for more information.
2. Open applicationContext-security.xml in any text or XML editor.
This file is located in the web-apps-home/presto/WEB-INF/classes folder.
3. Make sure that the import statement for applicationContext-security-authn-cas2.xml is uncommented.
For example:
...
<import resource="applicationContext-security-authn-rememberme.xml"/>
<import resource="applicationContext-scheduler.xml"/>

<!-- import resource="applicationContext-security-authn-x509.xml"/-->
<!-- import resource="applicationContext-security-authn-rsa.xml"/-->

<import resource="applicationContext-security-authn-cas2.xml"/>
...
4. Find the bean with authenticationEntryPointFilter ID and change the value of the defaultAuthenticationModuleName property to cas.
For example:
...
<bean id="authenticationEntryPointFilter"
>
<property name="authentiationModules">
<map>
<entry key="cas" value-ref="casAuthenticationEntryPoint"/>
<entry key="prestohub"
value-ref="prestoDefaultAuthenticationEntryPoint"/>
</map>
</property>
<property name="defaultAuthenticationModuleName" value="cas"/>
</bean>
...
5. Find the bean with preauthAuthProvider ID and:
a. Comment out the preauthenticated user details property based on UserDetailsByNameServiceWrapper.
b. Uncomment the preauthenticated user details property based on casAuthenticatedUserDetailsService.
For example:
<bean id="preauthAuthProvider"
class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService"
ref="casAuthenticationUserDetailsService"/>
<!-- property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userRepositoryAccessAdapter"/>
</bean>
</property -->
</bean>
6. Save your changes to applicationContext-security.xml.
7. Open applicationContext-security-filters-default.xml in any text or XML editor.
This file is located in the web-apps-home/presto/WEB-INF/classes folder.
8. Make sure that the line beginning with /**/cas/** is not commented out. Save your changes, if any.
9. Set configuration properties to redirect users to the CAS login form if requests attempt to access Business Analytics directly without a valid CAS ticket. You must:
a. Open the sso.properties file in any text editor.
This file is located in the web-apps-home/presto/WEB-INF/classes folder.
b. Set the following properties for the Business Analytics Server:
*prestoServerInfo.host = the host name or IP address for this Business Analytics Server.
*prestoServerInfo.httpPort = the HTTP port for this Business Analytics Server. This is 8080 if you installed Business Analytics with default ports.
*prestoServerInfo.httpsPort = the HTTPS port for this Business Analytics Server. For Tomcat, 8443 is the default HTTPS port.
c. Set the following properties for the CAS Server:
*ssoServerInfo.host = the host name or IP address for this CAS Server.
If the CAS server is deployed at https://cas.myOrg.com:9443/cas, for example, the host would be cas.myOrg.com.
*ssoServerInfo.httpsPort = the HTTPS port for this CAS Server.
If the CAS server is deployed at https://cas.myOrg.com:9443/cas, for example, the HTTPS port would be 9443.
*ssoServerInfo.rootPath = the relative path, starting from the host and HTTPS port for this CAS Server.
If the CAS server is deployed at https://cas.myOrg.com:9443/cas, for example, the root path would be cas.
*ssoServerInfo.loginPath = the relative path, starting from the root path where this CAS server is deployed, to the login page where users should be redirected if they do not have a valid CAS ticket.
If the URL for your CAS login page is https://cas.myOrg.com:9443/cas/login, this property should be login as the rest of the URL is set in other properties.
d. Save your changes.
10. Restart the Business Analytics Server. See Start and Stop the Business Analytics Server for instructions.
Copyright © 2013-2016 Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback