By default, the EDAA is unauthenticated, you can use an external CAS server to provide authentication for EDAA.

To enable authentication for EDAA, follow the procedure.


  1. To build CAS:
    1. Download cas-overloay-template from,
    2. Include the following extension modules in gradle build:
      org.tuckey:urlrewritefilter:4.0.4 (Note: This is required to enable url rewriting to redirect login call from EDAA (i.e. from /cas/realm-login to /cas/login)
    3. Build CAS and generate keystore/certificate, (follow the readme provided by CAS).
  2. Procedure to deploy:
    1. Deploy the cas.war built in Tomcat 9 (install your own version of tomcat for CAS), and use Java 11 as JRE_HOME (It is important to set Java 11 as JRE_HOME as CAS 6.5 needs Java 11 to run).
    2. Enable URL rewriting by updating filters in web.xml and add urlrewrite.xml: (This step is important as login URL cas/realm-login is hard coded in EDAA).
      <?xml version="1.0" encoding="utf-8"?>
      <!DOCTYPE urlrewrite PUBLIC "-// UrlRewrite 4.0//EN"
                      <to last="true" type="redirect">%{context-path}/login</to>
    3. Copy the generated keystore/certificate files (that is cas.crt and the keystore) to /etc/cas/ and copy to /etc/cas/config/.
    4. Update /etc/cas/config/ with following properties:
      Create below service registry json file under /etc/cas/services/
        "@class" : "",
        "serviceId" : "^(http|https)://.*",
        "name" : "HTTP/HTTPS wildcard",
        "id" : 1001,
        "attributeReleasePolicy" : {
          "@class" : "",
          "principalAttributesRepository" : {
            "@class" : "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
            "attributeRepositoryIds": ["java.util.HashSet", [ "myjson" ]]
    5. Restart Tomcat.
    6. Once the CAS server is deployed, you must add the following entry in the file of the SAM server and restart the tomcat and the Presentation SAM Server.


  3. Configure EDAA in HTTPS mode:
    To enable HTTPS (SSL) communication between the CAS Server and the SAM, you must follow the procedure:
    1. Export the certificate from the SAM Install, using the commands:
      /opt/InCharge/SAM/smarts/jre/bin/keytool -storetype JKS -genkey -alias tomcat -keyalg RSA -keystore /opt/InCharge/SAM/smarts/.keystore
      /opt/InCharge/SAM/smarts/jre/bin/keytool -storetype JKS -export -keystore /opt/InCharge/SAM/smarts/.keystore -alias tomcat -rfc > samtomcat.cert
    2. Export the certificate from the CAS Server using commands:
      /opt/zulu11.45.52-sa-jre11.0.10-linux_x64/bin/keytool -storetype JKS -genkey -alias tomcat -keyalg RSA -keystore /opt/.keystore
      /opt/zulu11.45.52-sa-jre11.0.10-linux_x64/bin/keytool -storetype JKS -export -keystore /opt/.keystore -alias tomcat -rfc > castomcat.cert
      Note: /opt/zulu11.45.52-sa-jre11.0.10-linux_x64 is JRE 11 installed location.
    3. Import the certificates from Domain Manager to CAS Server keystore:
      opt/zulu11.45.52-sa-jre11.0.10-linux_x64/bin/keytool -storetype JKS -import -file samtomcat.cert -alias samtomcat -keystore /opt/.keystore
      cp /opt/.keystore /opt/zulu11.45.52-sa-jre11.0.10-linux_x64/lib/security/cacerts
    4. Update the file with the CAS Server and port details:
  4. Restart the CAS tomcat.
  5. Restart the Domain Manager broker, SAM tomcat, and SAM Presentation servers.