From fb26284c00e09e656732eb7ca4570afd052e0067 Mon Sep 17 00:00:00 2001 From: Jacek Kowalski <Jacek@jacekk.info> Date: Fri, 21 Jun 2024 11:47:01 +0000 Subject: [PATCH] Improve error reporting in CAS ticket validation --- README.md | 66 ++++++++++++++++++++++---------- 1 files changed, 45 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 75d085e..ac27566 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,13 @@ # keycloak-protocol-cas -This plugin for Keycloak Identity and Access Management (http://www.keycloak.org) adds the CAS 3.0 SSO protocol as an available client protocol to the Keycloak system. It implements the required Service Provider Interfaces (SPIs) for a Login Protocol and will be picked up and made available by Keycloak automatically once installed. -[![Build Status](https://travis-ci.org/Doccrazy/keycloak-protocol-cas.svg?branch=master)](https://travis-ci.org/Doccrazy/keycloak-protocol-cas) +This plugin for Keycloak Identity and Access Management (http://www.keycloak.org) adds the CAS 3.0 SSO protocol +as an available client protocol to the Keycloak system. It implements the required Service Provider Interfaces (SPIs) +for a Login Protocol and will be picked up and made available by Keycloak automatically once installed. + +![Build status](https://github.com/jacekkow/keycloak-protocol-cas/workflows/Release/badge.svg) ## Features + The following CAS features are currently implemented: * CAS 1.0/2.0/3.0 compliant Login/Logout and Service Ticket Validation * Single Logout (SLO) @@ -11,38 +15,58 @@ * JSON and XML response types * Mapping of custom user attributes to CAS assertion attributes -The following features are **currently missing**: -* #2: Proxy ticket service and proxy ticket validation [CAS 2.0] -* #1: SAML request/response [CAS 3.0 - optional] +The following features are **missing**: +* SAML request/response [CAS 3.0 - optional] +* Proxy ticket service and proxy ticket validation [CAS 2.0] The following features are out of scope: * Long-Term Tickets - Remember-Me [CAS 3.0 - optional] +## Compatibility + +The CAS plugin has been tested against the same Keycloak version as the plugin version. + +As a rule of thumb plugin version should **match your Keycloak version**. + ## Installation -The CAS plugin has been tested against the following Keycloak versions. Please ensure your version is compatible before deploying. -Please report test results with other versions! -Plugin version | Keycloak 2.5.x | Keycloak 3.0.x | Keycloak 3.1.x | Keycloak 3.2.x ------------- | ------------- | ------------- | ------------- | ------------- -1.0.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: +Quarkus is the default distribution method of Keycloak 17.0.0 and newer. For legacy installations using WildFly, please refer to the [old README](https://github.com/jacekkow/keycloak-protocol-cas/blob/16.1.1/README.md). -1. Download the latest release compatible with your Keycloak version from the [releases page](https://github.com/Doccrazy/keycloak-protocol-cas/releases) -2. Copy the JAR file into the `standalone/deployments` directory in your Keycloak server's root -3. Restart Keycloak (optional, hot deployment should work) +1. Download the latest release compatible with your Keycloak version from the [releases page](https://github.com/jacekkow/keycloak-protocol-cas/releases). +2. Put the downloaded JAR file into the `providers/` directory inside Keycloak installation folder. +3. Stop the Keycloak server. +4. (Re-)build the installation using `kc.sh build` command. +5. Start the Keycloak: `kc.sh start` + +Remember to update plugin artifact with each Keycloak server upgrade! ## Configuration -To use the new protocol, you have to create a client within Keycloak as usual. -**Important: Due to [KEYCLOAK-4270](https://issues.jboss.org/browse/KEYCLOAK-4270), you may have to select the `openid-connect` protocol when creating the client and change it after saving. This has been fixed in Keycloak 3.0.0.** -As the CAS protocol does not transmit a client ID, the client will be identified by the redirect URIs (mapped to CAS service). No further configuration is necessary. -Enter `https://your.keycloak.host/auth/realms/master/protocol/cas` as the CAS URL into your SP. +To use the new protocol, you have to create a client within Keycloak as usual, selecting `cas` as protocol. +As there is no client ID indication in protocol, the client will be identified by the redirect URIs +configured in Keycloak. + +Enter `https://your.keycloak.host/realms/master/protocol/cas` as the CAS URL into your SP. +This assumes that you use the default `master` realm - if not, modify the URL accordingly. + +Note that some client implementations require you to enter login and validate URLs, not CAS URL! +This manifests with "Page Not Found" error on login attempt +(see [issue #27](https://github.com/jacekkow/keycloak-protocol-cas/issues/27) for example). +In such case append `/login` to the CAS URL to get the "login URL". +Similarly append `/serviceValidate` to get the "validate URL". ## Disclaimer -This plugin was implemented from scratch to comply to the official CAS protocol specification, and is based heavily on the OpenID Connect implementation in Keycloak. + +This plugin was implemented from scratch to comply to the official CAS protocol specification, +and is based heavily on the OpenID Connect implementation in Keycloak. It is licensed under the Apache License 2.0. +This repo is a fork of https://github.com/Doccrazy/keycloak-protocol-cas +and includes changes for Keycloak 8 and newer that were not merged by the owner for half a year. + ## References -[1] http://www.keycloak.org -[2] https://issues.jboss.org/browse/KEYCLOAK-1047 (Support CAS 2.0 SSO protocol) -[3] https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html + +[1] https://www.keycloak.org/ +[2] https://issues.jboss.org/browse/KEYCLOAK-1047 (Support CAS 2.0 SSO protocol) +[3] https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html [4] https://keycloak.gitbooks.io/server-developer-guide/content/topics/providers.html -- Gitblit v1.9.1