By default, the EDAA is unauthenticated, you can use an external CAS server to provide authentication for EDAA.

To enable authentication for EDAA, follow the procedure.

Procedure

  1. To build CAS:
    1. Download cas-overloay-template from, https://github.com/apereo/cas-overlay-template/tree/6.5.
    2. Include the following extension modules in gradle build:
      cas-server-support-duo
cas-server-support-oidc
cas-server-support-rest
cas-server-support-rest-tokens
cas-server-support-json-service-registry
cas-server-core-api-configuration-model
cas-server-webapp-init
org.tuckey:urlrewritefilter:4.0.4 (Note: This is required to enable url rewriting to redirect login call from EDAA (i.e. from /cas/realm-login to /cas/login)
    3. Build CAS and generate keystore/certificate, (follow the readme provided by CAS).
  2. Procedure to deploy:
    1. Deploy the cas.war built in Tomcat 9 (install your own version of tomcat for CAS), and use Java 11 as JRE_HOME (It is important to set Java 11 as JRE_HOME as CAS 6.5 needs Java 11 to run).
    2. Enable URL rewriting by updating filters in web.xml and add urlrewrite.xml: (This step is important as login URL cas/realm-login is hard coded in EDAA).
      <cas-tomcat-install-location>/webapps/cas/WEB-INF/web.xml:
        <filter>
                <filter-name>UrlRewriteFilter</filter-name>
                <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
        </filter>
        <filter-mapping>
                <filter-name>UrlRewriteFilter</filter-name>
               <url-pattern>/*</url-pattern>
                <dispatcher>REQUEST</dispatcher>
                <dispatcher>FORWARD</dispatcher>
        </filter-mapping>
<cas-tomcat-install-location>/cas/WEB-INF/urlrewrite.xml:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 4.0//EN"
        "http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd">
 
<urlrewrite>
        <rule>
                <from>^/realm-login$</from>
                <to last="true" type="redirect">%{context-path}/login</to>
        </rule>
</urlrewrite>
    3. Copy the generated keystore/certificate files (that is cas.crt and the keystore) to /etc/cas/ and copy cas.properties to /etc/cas/config/.
    4. Update /etc/cas/config/cas.properties with following properties:
      cas.server.name=http://localhost:8090
cas.server.prefix=${cas.server.name}/cas
cas.serviceregistry.json.location=file:/etc/cas/services
cas.authn.accept.users=admin::changeme
 
cas.authn.attribute-repository.stub.id=SAMPROF
cas.authn.attribute-repository.stub.attributes.SAM_PROFILE=admin-profile
Create below service registry json file under /etc/cas/services/
smarts-edaa-1001.json:
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(http|https)://.*",
  "name" : "HTTP/HTTPS wildcard",
  "id" : 1001,
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
    "principalAttributesRepository" : {
      "@class" : "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
      "attributeRepositoryIds": ["java.util.HashSet", [ "myjson" ]]
    }
  }
}
    5. Restart Tomcat.
    6. Once the CAS server is deployed, you must add the following entry in the runcmd_env.sh file of the SAM server and restart the tomcat and the Presentation SAM Server.

      SM_CAS_SERVER=http://<;cas-server>:<port>

  3. Configure EDAA in HTTPS mode:
    To enable HTTPS (SSL) communication between the CAS Server and the SAM, you must follow the procedure:
    1. Export the certificate from the SAM Install, using the commands:
      /opt/InCharge/SAM/smarts/jre/bin/keytool -storetype JKS -genkey -alias tomcat -keyalg RSA -keystore /opt/InCharge/SAM/smarts/.keystore
/opt/InCharge/SAM/smarts/jre/bin/keytool -storetype JKS -export -keystore /opt/InCharge/SAM/smarts/.keystore -alias tomcat -rfc > samtomcat.cert
    2. Export the certificate from the CAS Server using commands:
      /opt/zulu11.45.52-sa-jre11.0.10-linux_x64/bin/keytool -storetype JKS -genkey -alias tomcat -keyalg RSA -keystore /opt/.keystore
/opt/zulu11.45.52-sa-jre11.0.10-linux_x64/bin/keytool -storetype JKS -export -keystore /opt/.keystore -alias tomcat -rfc > castomcat.cert
      Note: /opt/zulu11.45.52-sa-jre11.0.10-linux_x64 is JRE 11 installed location.
    3. Import the certificates from Domain Manager to CAS Server keystore:
      opt/zulu11.45.52-sa-jre11.0.10-linux_x64/bin/keytool -storetype JKS -import -file samtomcat.cert -alias samtomcat -keystore /opt/.keystore
cp /opt/.keystore /opt/zulu11.45.52-sa-jre11.0.10-linux_x64/lib/security/cacerts
    4. Update the runcmd_env.sh file with the CAS Server and port details:
      SM_CAS_SERVER=https://<;cas-server>:<port>
  4. Restart the CAS tomcat.
  5. Restart the Domain Manager broker, SAM tomcat, and SAM Presentation servers.