修改 cas 插件以支持 OAuth 对接。基于北京大学赖清楠老师实现的版本,进一步修改优化,感谢北京大学 CARSI 项目组团队的前期工作。
3.3.0-oauth 只能支持 shibboleth 3.4.6 以上版本。
如使用 shibboleth 3.4.3 ,则请使用 3.2.4-oauth 版本插件。
下载相关的 cas-client-core-3.6.0.jar 和 shib-cas-authenticator-3.3.0-oauth.jar 文件备用。
下载 no-conversation-state.jsp 文件备用
以下假定 IDP_HOME = /opt/shibboleth-idp/
首先确保 IdP 是 3.4.6 以上版
- 把下载的
no-conversation-state.jsp放入/opt/shibboleth-idp/edit-webapp中 - 把下载的
cas-client-core-3.6.0.jar和shib-cas-authenticator-3.3.0-oauth.jar放入/opt/shibboleth-idp/edit-webapp/WEB-INF/lib中 - 将
/opt/shibboleth-idp/dist/webapp/WEB-INF/web.xml拷贝到/opt/shibboleth-idp/edit-webapp/WEB-INF/web.xml
cp /opt/shibboleth-idp/dist/webapp/WEB-INF/web.xml /opt/shibboleth-idp/edit-webapp/WEB-INF/web.xml
- 修改
/opt/shibboleth-idp/edit-webapp/WEB-INF/web.xml增加以下部分
...
<!-- Servlet for receiving a callback from an external CAS Server and continues the IdP login flow -->
<servlet>
<servlet-name>ShibCas Auth Servlet</servlet-name>
<servlet-class>net.unicon.idp.externalauth.ShibcasAuthServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>ShibCas Auth Servlet</servlet-name>
<url-pattern>/Authn/External/*</url-pattern>
</servlet-mapping>
...
- 修改
idp.properties配置文件(大多数情况下只需要修改shibcas.oauth2UrlPrefix,shibcas.serverName,shibcas.oauth2clientid 与shibcas.oauth2clientsecret)
idp.authn.flows=External
# 新增
# oauth 的地址
shibcas.oauth2UrlPrefix = https://oauth.xxx.edu.cn
# oauth 的 authorize 发起请求的 url
shibcas.oauth2LoginUrl = ${shibcas.oauth2UrlPrefix}/oauth/v1/authorize?response_type=code&client_id=${shibcas.oauth2clientid}&state=xyz
# idp 的地址
shibcas.serverName = https://idp.xxx.edu.cn
# oauth 换取 token 的地址
shibcas.oauth2TokenUrl = ${shibcas.oauth2UrlPrefix}/oauth/v1/token
# oauth 获取用户信息的地址
shibcas.oauth2ResourceUrl = ${shibcas.oauth2UrlPrefix}/oauth/v1/userinfo
# oauth 的 client_id
shibcas.oauth2clientid = testcient
# oauth 的 client_secret
shibcas.oauth2clientsecret = testpass
# redirect uri
shibcas.oauth2redirecturi = ${shibcas.serverName}/idp/Authn/External?conversation=e1s1
# 新增
# redirect uri 的前缀
shibcas.oauth2redirecturiBase = ${shibcas.serverName}/idp/Authn/External
# 返回属性中,标识用户名的字段
shibcas.oauth2principalname = uid
- 运行
/opt/shibboleth-idp/bin/build.sh重新编译 idp 即可
首先确认 idp 已经升级到 3.4.6
- 修改
web.xml,调整为如下
...
<!-- Servlet for receiving a callback from an external CAS Server and continues the IdP login flow -->
<servlet>
<servlet-name>ShibCas Auth Servlet</servlet-name>
<servlet-class>net.unicon.idp.externalauth.ShibcasAuthServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>ShibCas Auth Servlet</servlet-name>
<url-pattern>/Authn/External/*</url-pattern>
</servlet-mapping>
...
- 修改
idp.properties配置文件,将 flow 修改为 Externalidp.authn.flows=External - 删除
/opt/shibboleth-idp/conf/authn/general-authn.xml中新增的 bean 内容,例如:
<bean id="authn/Shiboauth2" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true"
p:nonBrowserSupported="false" />
- 删除
/opt/shibboleth-idp/flows/authn/Shiboauth2/文件夹 - 删除
/opt/shibboleth-idp/edit-webapp/WEB-INF/lib中老版本的 jar 包,更新为cas-client-core-3.6.0.jar和shib-cas-authenticator-3.3.0-oauth.jar - 运行
/opt/shibboleth-idp/bin/build.sh重新编译 idp 即可
xsi:type="SubjectDerivedAttribute" 为从插件中获取属性的配置,例如下面的示例表示,从 OAuth 中获取的 role 属性,映射为 shibboleth 中的 eduPersonScopedAffiliation
<?xml version="1.0" encoding="UTF-8"?>
<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
<AttributeDefinition xsi:type="SubjectDerivedAttribute" id="eduPersonScopedAffiliation" principalAttributeName="role" >
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
</AttributeDefinition>
</AttributeResolver>