commit | author | age
|
0cc9a0
|
1 |
# keycloak-protocol-cas |
MP |
2 |
This plugin for Keycloak Identity and Access Management (http://www.keycloak.org) adds the CAS 3.0 SSO protocol as an available client protocol to the Keycloak system. It implements the required Service Provider Interfaces (SPIs) for a Login Protocol and will be picked up and made available by Keycloak automatically once installed. |
|
3 |
|
b8c874
|
4 |
[![Build Status](https://travis-ci.org/Doccrazy/keycloak-protocol-cas.svg?branch=master)](https://travis-ci.org/Doccrazy/keycloak-protocol-cas) |
MP |
5 |
|
1482f2
|
6 |
## Features |
0cc9a0
|
7 |
The following CAS features are currently implemented: |
MP |
8 |
* CAS 1.0/2.0/3.0 compliant Login/Logout and Service Ticket Validation |
b8c874
|
9 |
* Single Logout (SLO) |
0cc9a0
|
10 |
* Filtering of provided `service` against configured redirect URIs |
MP |
11 |
* JSON and XML response types |
|
12 |
* Mapping of custom user attributes to CAS assertion attributes |
|
13 |
|
b8c874
|
14 |
The following features are **currently missing**: |
4e2fd6
|
15 |
* #2: Proxy ticket service and proxy ticket validation [CAS 2.0] |
D |
16 |
* #1: SAML request/response [CAS 3.0 - optional] |
|
17 |
|
|
18 |
The following features are out of scope: |
0cc9a0
|
19 |
* Long-Term Tickets - Remember-Me [CAS 3.0 - optional] |
MP |
20 |
|
1482f2
|
21 |
## Installation |
0cc9a0
|
22 |
1. Clone or download this repository (pre-compiled releases will follow!) |
MP |
23 |
2. Run `mvn package` to build the plugin JAR |
086235
|
24 |
3. Copy the JAR file generated in the `target` folder into the `standalone/deployments` directory in your Keycloak server's root |
MP |
25 |
4. Restart Keycloak (optional, hot deployment should work) |
0cc9a0
|
26 |
|
1482f2
|
27 |
## Configuration |
D |
28 |
To use the new protocol, you have to create a client within Keycloak as usual. |
|
29 |
**Important: Due to [KEYCLOAK-4270](https://issues.jboss.org/browse/KEYCLOAK-4270), you have to select the `openid-connect` protocol when creating the client and change it after saving.** |
0cc9a0
|
30 |
As the CAS protocol does not transmit a client ID, the client will be identified by the redirect URIs (mapped to CAS service). No further configuration is necessary. |
MP |
31 |
|
|
32 |
Enter `https://your.keycloak.host/auth/realms/master/protocol/cas` as the CAS URL into your SP. |
|
33 |
|
1482f2
|
34 |
## Disclaimer |
D |
35 |
This plugin was implemented from scratch to comply to the official CAS protocol specification, and is based heavily on the OpenID Connect implementation in Keycloak. |
0cc9a0
|
36 |
It is licensed under the Apache License 2.0. |
MP |
37 |
|
1482f2
|
38 |
## References |
D |
39 |
[1] http://www.keycloak.org |
|
40 |
[2] https://issues.jboss.org/browse/KEYCLOAK-1047 (Support CAS 2.0 SSO protocol) |
|
41 |
[3] https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html |
0cc9a0
|
42 |
[4] https://keycloak.gitbooks.io/server-developer-guide/content/topics/providers.html |