modules/keycloak-protocol-cas

github-actions

2024-10-24 9728128e602989c83dc254ae40a14db75d2cd040

commit \| author \| age
0cc9a0	1	# keycloak-protocol-cas
MP	2
5dc37d	3	This plugin for Keycloak Identity and Access Management (http://www.keycloak.org) adds the CAS 3.0 SSO protocol
JK	4	as an available client protocol to the Keycloak system. It implements the required Service Provider Interfaces (SPIs)
	5	for a Login Protocol and will be picked up and made available by Keycloak automatically once installed.
	6
	7	![Build status](https://github.com/jacekkow/keycloak-protocol-cas/workflows/Release/badge.svg)
b8c874	8
1482f2	9	## Features
5dc37d	10
0cc9a0	11	The following CAS features are currently implemented:
MP	12	* CAS 1.0/2.0/3.0 compliant Login/Logout and Service Ticket Validation
b8c874	13	* Single Logout (SLO)
0cc9a0	14	* Filtering of provided `service` against configured redirect URIs
MP	15	* JSON and XML response types
	16	* Mapping of custom user attributes to CAS assertion attributes
	17
5dc37d	18	The following features are missing:
JK	19	* SAML request/response [CAS 3.0 - optional]
4e2fd6	20
D	21	The following features are out of scope:
0cc9a0	22	* Long-Term Tickets - Remember-Me [CAS 3.0 - optional]
MP	23
3f0be1	24	## Compatibility
ea64d6	25
5dc37d	26	The CAS plugin has been tested against the same Keycloak version as the plugin version.
JK	27
	28	As a rule of thumb plugin version should match your Keycloak version.
3f0be1	29
D	30	## Installation
5dc37d	31
de93e7	32	Quarkus is the default distribution method of Keycloak 17.0.0 and newer. For legacy installations using WildFly, please refer to the [old README](https://github.com/jacekkow/keycloak-protocol-cas/blob/16.1.1/README.md).
ea64d6	33
5dc37d	34	1. Download the latest release compatible with your Keycloak version from the [releases page](https://github.com/jacekkow/keycloak-protocol-cas/releases).
bedb96	35	2. Put the downloaded JAR file into the `providers/` directory inside Keycloak installation folder. If necessary, adjust the permissions/ownership so that the user Keycloak runs as is able to read this file.
de93e7	36	3. Stop the Keycloak server.
JK	37	4. (Re-)build the installation using `kc.sh build` command.
	38	5. Start the Keycloak: `kc.sh start`
5dc37d	39
JK	40	Remember to update plugin artifact with each Keycloak server upgrade!
0cc9a0	41
1482f2	42	## Configuration
5dc37d	43
JK	44	To use the new protocol, you have to create a client within Keycloak as usual, selecting `cas` as protocol.
	45	As there is no client ID indication in protocol, the client will be identified by the redirect URIs
	46	configured in Keycloak.
0cc9a0	47
de93e7	48	Enter `https://your.keycloak.host/realms/master/protocol/cas` as the CAS URL into your SP.
222474	49	This assumes that you use the default `master` realm - if not, modify the URL accordingly.
JK	50
	51	Note that some client implementations require you to enter login and validate URLs, not CAS URL!
	52	This manifests with "Page Not Found" error on login attempt
	53	(see [issue #27](https://github.com/jacekkow/keycloak-protocol-cas/issues/27) for example).
	54	In such case append `/login` to the CAS URL to get the "login URL".
	55	Similarly append `/serviceValidate` to get the "validate URL".
0cc9a0	56
1482f2	57	## Disclaimer
5dc37d	58
JK	59	This plugin was implemented from scratch to comply to the official CAS protocol specification,
	60	and is based heavily on the OpenID Connect implementation in Keycloak.
0cc9a0	61	It is licensed under the Apache License 2.0.
MP	62
5dc37d	63	This repo is a fork of https://github.com/Doccrazy/keycloak-protocol-cas
JK	64	and includes changes for Keycloak 8 and newer that were not merged by the owner for half a year.
	65
1482f2	66	## References
222474	67
JK	68	[1] https://www.keycloak.org/
5dc37d	69	[2] https://issues.jboss.org/browse/KEYCLOAK-1047 (Support CAS 2.0 SSO protocol)
JK	70	[3] https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html
0cc9a0	71	[4] https://keycloak.gitbooks.io/server-developer-guide/content/topics/providers.html