commit | author | age
|
0cc9a0
|
1 |
# keycloak-protocol-cas |
MP |
2 |
|
5dc37d
|
3 |
This plugin for Keycloak Identity and Access Management (http://www.keycloak.org) adds the CAS 3.0 SSO protocol |
JK |
4 |
as an available client protocol to the Keycloak system. It implements the required Service Provider Interfaces (SPIs) |
|
5 |
for a Login Protocol and will be picked up and made available by Keycloak automatically once installed. |
|
6 |
|
|
7 |
![Build status](https://github.com/jacekkow/keycloak-protocol-cas/workflows/Release/badge.svg) |
b8c874
|
8 |
|
1482f2
|
9 |
## Features |
5dc37d
|
10 |
|
0cc9a0
|
11 |
The following CAS features are currently implemented: |
MP |
12 |
* CAS 1.0/2.0/3.0 compliant Login/Logout and Service Ticket Validation |
b8c874
|
13 |
* Single Logout (SLO) |
0cc9a0
|
14 |
* Filtering of provided `service` against configured redirect URIs |
MP |
15 |
* JSON and XML response types |
|
16 |
* Mapping of custom user attributes to CAS assertion attributes |
|
17 |
|
5dc37d
|
18 |
The following features are **missing**: |
JK |
19 |
* SAML request/response [CAS 3.0 - optional] |
|
20 |
* Proxy ticket service and proxy ticket validation [CAS 2.0] |
4e2fd6
|
21 |
|
D |
22 |
The following features are out of scope: |
0cc9a0
|
23 |
* Long-Term Tickets - Remember-Me [CAS 3.0 - optional] |
MP |
24 |
|
3f0be1
|
25 |
## Compatibility |
ea64d6
|
26 |
|
5dc37d
|
27 |
The CAS plugin has been tested against the same Keycloak version as the plugin version. |
JK |
28 |
|
|
29 |
As a rule of thumb plugin version should **match your Keycloak version**. |
3f0be1
|
30 |
|
D |
31 |
## Installation |
5dc37d
|
32 |
|
de93e7
|
33 |
Quarkus is the default distribution method of Keycloak 17.0.0 and newer. For legacy installations using WildFly, please refer to the [old README](https://github.com/jacekkow/keycloak-protocol-cas/blob/16.1.1/README.md). |
ea64d6
|
34 |
|
5dc37d
|
35 |
1. Download the latest release compatible with your Keycloak version from the [releases page](https://github.com/jacekkow/keycloak-protocol-cas/releases). |
bedb96
|
36 |
2. Put the downloaded JAR file into the `providers/` directory inside Keycloak installation folder. If necessary, adjust the permissions/ownership so that the user Keycloak runs as is able to read this file. |
de93e7
|
37 |
3. Stop the Keycloak server. |
JK |
38 |
4. (Re-)build the installation using `kc.sh build` command. |
|
39 |
5. Start the Keycloak: `kc.sh start` |
5dc37d
|
40 |
|
JK |
41 |
Remember to update plugin artifact with each Keycloak server upgrade! |
0cc9a0
|
42 |
|
1482f2
|
43 |
## Configuration |
5dc37d
|
44 |
|
JK |
45 |
To use the new protocol, you have to create a client within Keycloak as usual, selecting `cas` as protocol. |
|
46 |
As there is no client ID indication in protocol, the client will be identified by the redirect URIs |
|
47 |
configured in Keycloak. |
0cc9a0
|
48 |
|
de93e7
|
49 |
Enter `https://your.keycloak.host/realms/master/protocol/cas` as the CAS URL into your SP. |
222474
|
50 |
This assumes that you use the default `master` realm - if not, modify the URL accordingly. |
JK |
51 |
|
|
52 |
Note that some client implementations require you to enter login and validate URLs, not CAS URL! |
|
53 |
This manifests with "Page Not Found" error on login attempt |
|
54 |
(see [issue #27](https://github.com/jacekkow/keycloak-protocol-cas/issues/27) for example). |
|
55 |
In such case append `/login` to the CAS URL to get the "login URL". |
|
56 |
Similarly append `/serviceValidate` to get the "validate URL". |
0cc9a0
|
57 |
|
1482f2
|
58 |
## Disclaimer |
5dc37d
|
59 |
|
JK |
60 |
This plugin was implemented from scratch to comply to the official CAS protocol specification, |
|
61 |
and is based heavily on the OpenID Connect implementation in Keycloak. |
0cc9a0
|
62 |
It is licensed under the Apache License 2.0. |
MP |
63 |
|
5dc37d
|
64 |
This repo is a fork of https://github.com/Doccrazy/keycloak-protocol-cas |
JK |
65 |
and includes changes for Keycloak 8 and newer that were not merged by the owner for half a year. |
|
66 |
|
1482f2
|
67 |
## References |
222474
|
68 |
|
JK |
69 |
[1] https://www.keycloak.org/ |
5dc37d
|
70 |
[2] https://issues.jboss.org/browse/KEYCLOAK-1047 (Support CAS 2.0 SSO protocol) |
JK |
71 |
[3] https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html |
0cc9a0
|
72 |
[4] https://keycloak.gitbooks.io/server-developer-guide/content/topics/providers.html |