From 755fd78fa0ee0f2a67417a119382c63e02c1091e Mon Sep 17 00:00:00 2001 From: Alexandre Rocha Wendling <alexandrerw@celepar.pr.gov.br> Date: Tue, 16 Jul 2024 14:15:23 +0000 Subject: [PATCH] Proxy ticket service and proxy ticket validation Proxy endpoints improvements suggested by Jacek Kowalski Add ticket type to storage key Rename isreuse to isReusable Remove "parsing" of "codeUUID" that is String, not UUID Improve error reporting in CAS ticket validation --- README.md | 64 +++++++++++++++++++++----------- 1 files changed, 42 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index a95e6bb..3c48f4b 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,13 @@ # keycloak-protocol-cas -This plugin for Keycloak Identity and Access Management (http://www.keycloak.org) adds the CAS 3.0 SSO protocol as an available client protocol to the Keycloak system. It implements the required Service Provider Interfaces (SPIs) for a Login Protocol and will be picked up and made available by Keycloak automatically once installed. -[](https://travis-ci.org/Doccrazy/keycloak-protocol-cas) +This plugin for Keycloak Identity and Access Management (http://www.keycloak.org) adds the CAS 3.0 SSO protocol +as an available client protocol to the Keycloak system. It implements the required Service Provider Interfaces (SPIs) +for a Login Protocol and will be picked up and made available by Keycloak automatically once installed. + + ## Features + The following CAS features are currently implemented: * CAS 1.0/2.0/3.0 compliant Login/Logout and Service Ticket Validation * Single Logout (SLO) @@ -11,41 +15,57 @@ * JSON and XML response types * Mapping of custom user attributes to CAS assertion attributes -The following features are **currently missing**: -* [#1](/../../issues/1): SAML request/response [CAS 3.0 - optional] -* [#2](/../../issues/2): Proxy ticket service and proxy ticket validation [CAS 2.0] +The following features are **missing**: +* SAML request/response [CAS 3.0 - optional] The following features are out of scope: * Long-Term Tickets - Remember-Me [CAS 3.0 - optional] ## Compatibility -The CAS plugin has been tested against the following Keycloak versions. Please ensure your version is compatible before deploying. -Please report test results with other versions! -* For Keycloak **2.5.x, 3.0.x and 3.1.x** please use plugin version **1.0.0** -* For Keycloak **3.2.x, 3.3.x and 3.4.0** please use plugin version **2.1.0** -* Starting from Keycloak **3.4.3**, the plugin version should **match your Keycloak version** +The CAS plugin has been tested against the same Keycloak version as the plugin version. + +As a rule of thumb plugin version should **match your Keycloak version**. ## Installation -Installation of a compatible plugin version is simple and can be done without a Keycloak server restart. -1. Download the latest release compatible with your Keycloak version from the [releases page](https://github.com/Doccrazy/keycloak-protocol-cas/releases) -2. Copy the JAR file into the `standalone/deployments` directory in your Keycloak server's root -3. Restart Keycloak (optional, hot deployment should work) +Quarkus is the default distribution method of Keycloak 17.0.0 and newer. For legacy installations using WildFly, please refer to the [old README](https://github.com/jacekkow/keycloak-protocol-cas/blob/16.1.1/README.md). + +1. Download the latest release compatible with your Keycloak version from the [releases page](https://github.com/jacekkow/keycloak-protocol-cas/releases). +2. Put the downloaded JAR file into the `providers/` directory inside Keycloak installation folder. If necessary, adjust the permissions/ownership so that the user Keycloak runs as is able to read this file. +3. Stop the Keycloak server. +4. (Re-)build the installation using `kc.sh build` command. +5. Start the Keycloak: `kc.sh start` + +Remember to update plugin artifact with each Keycloak server upgrade! ## Configuration -To use the new protocol, you have to create a client within Keycloak as usual. -**Important: Due to [KEYCLOAK-4270](https://issues.jboss.org/browse/KEYCLOAK-4270), you may have to select the `openid-connect` protocol when creating the client and change it after saving. This has been fixed in Keycloak 3.0.0.** -As the CAS protocol does not transmit a client ID, the client will be identified by the redirect URIs (mapped to CAS service). No further configuration is necessary. -Enter `https://your.keycloak.host/auth/realms/master/protocol/cas` as the CAS URL into your SP. +To use the new protocol, you have to create a client within Keycloak as usual, selecting `cas` as protocol. +As there is no client ID indication in protocol, the client will be identified by the redirect URIs +configured in Keycloak. + +Enter `https://your.keycloak.host/realms/master/protocol/cas` as the CAS URL into your SP. +This assumes that you use the default `master` realm - if not, modify the URL accordingly. + +Note that some client implementations require you to enter login and validate URLs, not CAS URL! +This manifests with "Page Not Found" error on login attempt +(see [issue #27](https://github.com/jacekkow/keycloak-protocol-cas/issues/27) for example). +In such case append `/login` to the CAS URL to get the "login URL". +Similarly append `/serviceValidate` to get the "validate URL". ## Disclaimer -This plugin was implemented from scratch to comply to the official CAS protocol specification, and is based heavily on the OpenID Connect implementation in Keycloak. + +This plugin was implemented from scratch to comply to the official CAS protocol specification, +and is based heavily on the OpenID Connect implementation in Keycloak. It is licensed under the Apache License 2.0. +This repo is a fork of https://github.com/Doccrazy/keycloak-protocol-cas +and includes changes for Keycloak 8 and newer that were not merged by the owner for half a year. + ## References -[1] http://www.keycloak.org -[2] https://issues.jboss.org/browse/KEYCLOAK-1047 (Support CAS 2.0 SSO protocol) -[3] https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html + +[1] https://www.keycloak.org/ +[2] https://issues.jboss.org/browse/KEYCLOAK-1047 (Support CAS 2.0 SSO protocol) +[3] https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html [4] https://keycloak.gitbooks.io/server-developer-guide/content/topics/providers.html -- Gitblit v1.9.1