In this presentation we discuss how to CASify PeopleSoft, and also discuss some strategies on how to integrate Microsoft ADFS with CAS Server to have a single SSO experience for your end users.

1. 5/13/14 Apereo Miami 2014 1
How to CASify PeopleSoft, and
integrating CAS and ADFS
Byran Wooten: bryan.wooten@utah.edu
John Gasper: jgasper@unicon.net
Misagh Moayyed: mmoayyed@unicon.net

2. 5/13/14 Apereo Miami 2014 2
•We will cover the integration and configuration points
to easily CASify PeopleSoft with minimal custom.
•We will also review several options for integrating your
CAS Server with Microsoft's ADFS Server. This is
particularly helpful if you are an Office 365 customer or
you have client applications that utilized Windows
Identity Foundation (WIF) and want to integrate the SSO
experience.
This Session

3. 5/13/14

4. 5/13/14
Unicon: John Gasper, Misagh Moayyed
•Members of IAM practice at Unicon
•Emphasis on CAS, Shibboleth, Grouper, etc
•Provide commercial support through OSS program

5. 5/13/14 5Apereo Miami 2014
How to
ify

6. 5/13/14 Apereo Miami 2014 6
Objective
CASify Peoplesoft web application via the Java
CAS client
•Populate REMOTE_USER with CAS principal id
•Peoplecode function to authenticate
Request.RemoteUser into Peoplesoft

7. 5/13/14 Apereo Miami 2014 7
1.Add CAS filters to the Weblogic web.xml
2.Add logic to Signon PeopleCode (FUNCLIBLDAP)
3.Configure Signon PeopleCode
Only 3 steps are required.
So, it really is easy!

8. 5/13/14 Apereo Miami 2014 8
•Add CAS Filters to web.xml in this location:
/<peoplesoft-webapp-directory>/PORTAL/WEB-INF
•Don’t forget to add the CAS client jar to the classpath:
/<peoplesoft-webapp-directory>/PORTAL/WEB-INF/lib/cas-client-core-3.3.1.jar
You may need to add the CAS Certificate to the
•Peoplesoft keystore:
/ps/pltest/weblogic/jdk150/jre/lib/security/cacerts
Step 1

9. 5/13/14 Apereo Miami 2014 9

10. 5/13/14 Apereo Miami 2014 10
Step 2:
Modify Signon PeopleCode
CAS_AUTHENTICATION()

11. 5/13/14 Apereo Miami 2014 11
•A default “guest” user must be created with the most basic permissions to be attached to
the CAS Web Profile. (Allow Public Users = Checked)
•CAS_AUTHENTICATION needs be enabled through signon peoplecode. The function uses the remote user in the
request headers as a authenticated user and retrieves the appropriate distinguished name from the directory.
•Valid user role that has the necessary permissions required to execute and invoke the Peoplecode function.
•The profile must be activated in PeopleSoft under the WebProfile setting, inside
the configuration.properties
•If all goes well, &global_DN is set and setAuthenticationResult() sets the user context to the correct
userID.
Peoplesoft WebProfile

12. 5/13/14 Apereo Miami 2014 12
Function CAS_AUTHENTICATION()
&logger = initLogger();
&logger.info("CAS_AUTHENTICATION ============ Start of CAS_AUTHENTICATION =============
(" | %SignonUserId | ")");
printRequestHeaders();
If &bConfigRead = False Then
getLDAPConfig();
End-If;
&cas_result = %Request.RemoteUser;
If &cas_result <> "" Then
/* User is authenticated, log them into PeopleSoft */
&logger.info(" CAS_AUTHENTICATION - " | "Remote user = " | &cas_result | " logged in
by CAS_AUTHENTICATION");
SetAuthenticationResult( True, Upper(&cas_result), "", False);
&authMethod = "CAS";
&CAS_userid = &cas_result;
&sql_PSOPRDEFN = CreateSQL("Select FAILEDLOGINS from PSOPRDEFN where OPRID=:1",
Upper(&cas_result));
&ret = &sql_PSOPRDEFN.Fetch(&failedLogin);
If (&failedLogin <> 0) Then
SQLExec("update PSOPRDEFN set FAILEDLOGINS=0 where OPRID=:1", Upper(&cas_result));
End-If;
CAS_AUTHENTICATION()

13. 5/13/14 Apereo Miami 2014 13
/* set &global_DN for profilesync */
For &J1 = 1 To &authMaps.Len
&DNs = CreateArrayRept("", 0);
If (idToDN(&cas_result, &DNs, &authMaps [&J1])) Then
For &I1 = 1 To &DNs.Len
/* Take the first DN found as the &global_DN */
&global_DN = &DNs [&I1];
&idxAuthMap = &J1;
/** &global_DN = "unid=" | &cas_result |
",ou=people,o=utah.edu"; **/
&logger.info("CAS_AUTHENTICATION - ***** &authMethod =
CAS ***** ===== (" | &cas_result | ")/" | &global_DN | "/" |
&authMaps [&J1].getAuthMapID());
Return;
End-For;
End-If;
End-For;
End-If;
&logger.info("CAS_AUTHENTICATION - Did not authenticate by
CAS_AUTHENTICATION (" | %SignonUserId | ")");
End-Function;

14. 5/13/14 Apereo Miami 2014 14
Step 3
Configure Signon Peoplecode
Note: “Invoke As” fields must be set to the credentials of the user created inside the web
profile to execute the peoplecode function. Ensure that both LDAP authentication and
profile sync are turned on, and “Exec Auth Fail” is checked for both.

15. 5/13/14 Apereo Miami 2014 15
In the WebProfile, specify a new signout.html for signout
•Place the file at /<peoplesoft-directory>/PORTAL.war/WEB-INF/psftdocs/CS89PS
•Edit the file:
Signout

16. 5/13/14 Apereo Miami 2014 16
•Ensure CAS_AUTHENTICATION() function logs activity to file
•Test webprofile using cmd=start:
https://sys.peoplesoft.edu:8703/psp/CS89PS/?cmd=start&languageCd=ENG
Log into peoplesoft using the account configured to invoke
•CAS_AUTHENTICATION()
•Almost ALL changes require a PeopleSoft web application restart
Tips & Suggestions

17. 5/13/14 Apereo Miami 2014 17
•Deep linking vs. Peoplesoft “caching”
•Peoplesoft vs. CAS account mapping
•Single signout
Issues & Troubleshooting

18. 5/13/14 Apereo Miami 2014 18
•Microsoft ADFS is yet another SSO
environment that competes in the same
spaces as CAS and Shibboleth.
•Why would you integrated ADFS with CAS?
lOffice 365?
lPreviously developed ASP.NET/Windows
Identity Foundation apps that utilize an
STS, like ADFS.
Integrating CAS and
Microsoft ADFS

19. 5/13/14 Apereo Miami 2014 19
•CAS as an RP: Fronting CAS with ADFS
•CASifying ADFS: Front ADFS with CAS
•ADFS as an SP: Front ADFS with CAS*
Integrating CAS and
Microsoft ADFS

20. 5/13/14 Apereo Miami 2014 20
Front CAS with ADFS

21. 5/13/14 Apereo Miami 2014 21
Front CAS with ADFS

22. 5/13/14 Apereo Miami 2014 22
Front CAS with ADFS
pom.xml
<!-- ADFS Integration -->
<dependency>
<groupId>net.unicon.cas</groupId>
<artifactId>cas-server-support-
wsfederation</artifactId>
<version>1.0.0-SNAPSHOT</version>
<scope>compile</scope>
</dependency>

23. 5/13/14 Apereo Miami 2014 23
Front CAS with ADFS
spring-config/wsfederation.xml
<bean id="wsFedConfig" class="net.unicon.cas.support.wsfederation.WsFederationConfiguration">
<property name="identityProviderIdentifier" value="http://adfs.example.org/adfs/services/trust" />
<property name="identityProviderUrl" value="https://adfs.example.org/adfs/ls/" />
<property name="identityAttribute" value="upn" />
<property name="relyingPartyIdentifier" value="urn:federation:cas" />
<property name="tolerance" value="60000" />
<property name="attributeMutator">
<bean class="org.example.cas.support.wsfederation.WsFedAttributeMutatorImpl" />
</property>
<property name="signingCertificateFiles">
<list>
<value>file:/etc/cas/signing.cer</value>
</list>
</property>
</bean>

24. 5/13/14 Apereo Miami 2014 24
Front CAS with ADFS
login-webflow.xml
<action-state id="wsFederationAction">
<evaluate expression="wsFederationAction" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="ticketGrantingTicketExistsCheck" />
</action-state>
<view-state id="WsFederationRedirect"
view="externalRedirect:${WsFederationIdentityProviderUrl}"/>

25. 5/13/14 Apereo Miami 2014 25
Front CAS with ADFS

26. 5/13/14 Apereo Miami 2014 26
Front CAS with ADFS

27. 5/13/14 Apereo Miami 2014 27
Front CAS with ADFS

28. 5/13/14 Apereo Miami 2014 28
Front CAS with ADFS
Attribute Mutator: clean-up or map your attributes
coming from ADFS, but before they are released.
attributes.put("upn",
attributes.get("upn").toString().replace("@example.org", ""));
attributeMapping(attributes, "surname", "LastName");
attributeMapping(attributes, "givenname", "FirstName");
attributeMapping(attributes, "Group", "Groups");
attributeMapping(attributes, "employeeNumber", "UDC_IDENTIFIER");

29. 5/13/14 Apereo Miami 2014 29
CASifying ADFS
Utilizes .NET CAS Client and ClearPass:
1) Drop in the DotNetCasClient.dll (v1.0.1).
2) Configure web.config.
3) Add code to FormsSignIn.aspx.cs.

30. 5/13/14 Apereo Miami 2014 30
CASifying ADFS
Utilizes .NET CAS Client and ClearPass:
Username=Page.User.Identity.Name;
proxyTicket =
CasAuthentication.GetProxyTicketIdFor(ClearPassUrl);
clearPassRequest = ClearPassUrl + "?" +
ArtifactParameterName + "=" + proxyTicket + "&" +
ServiceParameterName + "=" + ClearPassUrl;
Password = XmlUtils.GetTextForElement(clearPassResponse,
"cas:credentials");
SignIn(Username, Password);

31. 5/13/14 Apereo Miami 2014 31
CASifying ADFS
This may or may not work on ADFS on Windows
Server 2012 R2.
The .cs files are embedded in
C:WindowsadfsMicrosoft.IdentityServer.Web.dll
Visual Studio should allow you to alter the files.

32. 5/13/14 Apereo Miami 2014 32
ADFS as an SP
Theoretically, we can use CAS's Google
Apps/SAML 2.0 support to connect to ADFS.
Pros: No significant mods to ADFS or CAS.
Let me know if you are interested in
collaborating on this.

33. https://github.com/unicon/cas-adfs-integration