SAML 2.0 (Google Accounts Integration)

Added by Scott Battaglia, last edited by Johan Reinalda on Mar 27, 2009  (view change)
Table of Contents
Home
Overall Architecture
Authentication
Authentication Managers
Security Policy
TicketRegistry
Testing
Protocols
Advanced Features
Tutorials and HOWTOs
Troubleshooting
Services Management
Extensions

Google Apps for Education (or any of the Google Apps) utilizes SAML 2.0 to provide an integration point for external authentication services. CAS 3.1 includes an "ArgumentExtractor" and accompanying "Service" to provide process and understand SAML 2.0 requests from Google.

Warning
Though Google Accounts integration is enabled through the use of SAML 2.0 AuthenticationRequests and Assertions, we cannot confirm that this will work with any SAML 2.0 compliant application. It has only been tested with Google Accounts

The integration with Google Accounts is based off the excellent documentation provided by Google:

Step 1 - Generate DSA/RSA Keys

The first step is to generate DSA/RSA public and private keys. These are used to sign and read the Assertions. After you've generated your keys, you will need to register the public key with Google.

The keys will also need to be available to the CAS application (but not publicly available over the Internet). We recommend you place the keys within your classpath (i.e. WEB-INF/classes) though any location accessible by the user running the web server instance is acceptable: 

openssl genrsa -out private.key 1024
openssl rsa -pubout -in private.key -out public.key -inform PEM -outform DER
openssl pkcs8 -topk8 -inform PER -outform DER -nocrypt -in private.key -out private.p8
openssl req -new -x509 -key private.key -out x509.pem -days 365

The public.key and private.p8 go into your classpath. The x509.pem file should be uploaded into Google Apps.

Step 2 - Configure CAS Server

Google Accounts integration within CAS is enabled by simply adding an additional "ArgumentExtractor" to the list of ArgumentExtractors. An ArgumentExtractor attempts to obtain a service from the provided Request. Each ArgumentExtractor is responsible for understanding one type of Service.

You'll need to modify the WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml, and add the following:

<bean
        name="googleAccountsArgumentExtractor"
	class="org.jasig.cas.web.support.GoogleAccountsArgumentExtractor"
	p:privateKey-ref="privateKeyFactoryBean"
	p:publicKey-ref="publicKeyFactoryBean" />

Reference that from the list of ArgumentExtractors, so it would look something like this:

<util:list id="argumentExtractors">
	<ref bean="casArgumentExtractor" />
	<ref bean="samlArgumentExtractor" />
	<ref bean="googleAccountsArgumentExtractor" />
</util:list>

You'll need to configure the keys so they can be loaded from the files. You do that as follows:

<bean
	id="privateKeyFactoryBean"
	class="org.jasig.cas.util.PrivateKeyFactoryBean"
	p:location="classpath:private.p8"
	p:algorithm="RSA" />

<bean
	id="publicKeyFactoryBean"
	class="org.jasig.cas.util.PublicKeyFactoryBean"
	p:location="classpath:public.key"
	p:algorithm="RSA" />

Replace the public.key and private.key with the names of your key files. If they are not available on the classpath, change the location to point to the location of the keys. If you are using RSA instead of DSA, change the algorithm as appropriate.

Step 3 - Configure Google

The final step is to configure Google. You'll need to provide Google with the URL for your SAML-based SSO service, as well as the URL your users will be redirected to when they log out of a hosted Google application.

If you wish to use a Google email username that is different from your CAS userid, please read Google Apps from MS-AD using the 'mail' attribute. While this uses MS-AD, it applies to any LDAP directory.
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.