CAS protocol provider for Keycloak
Home Page: https://issues.jboss.org/browse/KEYCLOAK-1047
License: Apache License 2.0
This repository is no longer maintained.
See https://github.com/jacekkow/keycloak-protocol-cas for an up-to-date fork.
Hi,
Any chance to get a Keycloak V9 compatible version in the near future?
Hi, i am using this for our production env.
I tried on my computer, with standalone mode, which copy jar to standalone/deployment, which will be auto-deployment.
But we use domain cluster mode on production env, and this is not working, the jar is not auto-deployment.
How can i do? deploy this jar as a module under module directory? i tried but got org/jboss/logging classNotFound error , and i downloaded jboss-log, jboss-log-annation, jboss-log-processor jar, put them under standalone/lib, which is not good.
Thank you.
Yay, tests!
Mock requests and assert the right response is returned. Might be tricky to mock the Keycloak auth and session handling though.
Hi, thanks for the extension and it helps me a lot. Is it possible to implement a protocol federation mechanism? That is to say after I successfully sso with CAS, I do not need to auth again with OIDC ?
The following attributes concerning session metadata are mentioned in some parts of the CAS spec, but omitted in others:
authenticationDate: Date of user authentication to CAS serverlongTermAuthenticationRequestTokenUsed: True if remember-me authentication was used (should always be false as Keycloak does not support remember-me)isFromNewLogin: True if interactive login was performed, false for cookie loginExample serviceValidate XML section:
<cas:attributes>
<cas:authenticationDate>2015-11-12T09:30:10Z</cas:authenticationDate>
<cas:longTermAuthenticationRequestTokenUsed>true</cas:longTermAuthenticationRequestTokenUsed>
<cas:isFromNewLogin>true</cas:isFromNewLogin>
<cas:myAttribute>myValue</cas:myAttribute>
[...]
</cas:attributes>There is no JSON example in the spec.
CAS specification link: https://apereo.github.io/cas/5.0.x/protocol/CAS-Protocol-Specification.html#saml-cas-response-attributes (Appendix A)
Hi,
With keycloak-3.2.0 final in standalone mode I have this exception when I try to reach the CAS url:
Could not find resource for full path: https://XXX.XXX.XXX/auth/realms/master/protocol/cas
Proxy ticket granting and validation is a mandatory CAS 2.0 feature and should be supported. However not many clients use it and it is not required for basic SSO functionality.
The basic flow is the following:
serviceValidate during user login/proxy/proxyValidate instead of /serviceValidate to validate the proxy ticketAffects the following endpoints:
/proxy [CAS 2.0]/proxyValidate [CAS 2.0]Web flow diagram: https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html#proxy-web-flow-diagram
CAS specification link: https://apereo.github.io/cas/5.0.x/protocol/CAS-Protocol-Specification.html#proxyvalidate-cas-20
When trying to compile branch 9.0.0 using maven on Centos7 got
error messages:
keycloak-protocol-cas/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java:[67,89] incompatible types: org.keycloak.models.KeycloakUriInfo cannot be converted to org.keycloak.models.KeycloakSession
keycloak-protocol-cas/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java:[79,82] incompatible types: org.keycloak.models.KeycloakUriInfo cannot be converted to org.keycloak.models.KeycloakSession
keycloak-protocol-cas/src/main/java/org/keycloak/protocol/cas/representations/SamlResponseHelper.java:[77,59] cannot find symbol
symbol: variable AUTH_METHOD_PASSWORD
....
Apache Maven 3.0.5 (Red Hat 3.0.5-17)
Java version: 1.8.0_252
Hello,
Thank you for this useful plugin.
Any plan for a Keycloak 8 compatibility ?
Would be great to see this extension listed on the keycloak.org extensions page. To do that simply send a PR to https://github.com/keycloak/keycloak-web/tree/master/src/main/resources/extensions. You can find a template for the required json file here https://github.com/keycloak/keycloak-web/blob/master/src/main/resources/extension-template.json.
Yay, more tests!
Keycloak internal services are tested using Arquillian. It would be nice to add similar tests for CAS, but the Keycloak test framework is not published to maven so this might be some work.
The samlValidate endpoint performs the same service ticket validation task as serviceValidate, but instead of accepting query parameters and returning custom XML, it accepts and returns SAML XML documents.
It is an optional part of the CAS 3.0 specification, but is required by some client implementations (e.g. scm-cas-plugin for SCM Manager).
CAS Specification link: https://apereo.github.io/cas/5.0.x/protocol/CAS-Protocol-Specification.html#samlvalidate-cas-30
Couldn't it be good to archive this repository once @jacekkow made a brilliant job to maintain a fork that brings supports to all newer keycloak versions?
A redirection to https://github.com/jacekkow/keycloak-protocol-cas or a mention in the README could solve the problem.
Specification looks different for /validate endpoint for V2 and V3:
https://apereo.github.io/cas/6.0.x/protocol/CAS-Protocol-V2-Specification.html#24-validate-cas-10
https://apereo.github.io/cas/6.0.x/protocol/CAS-Protocol-Specification.html#24-validate-cas-10
It seems only V3 is implemented.
There has been several versions, the last one is 4.4.0
Can we still use the keycloak-protocol-cas 4.1.0 for this last release as we are still on the same major version, or do we need new releases each time ?
Hi,
Since CAS 5.2.2, service tickets should not contain underscores, but keycloak-protocol-cas creates tokens that contains some (here or there) :
FYI, CAS 5.2.2 no longer includes underscores in service tickets.
Since CAS 5.2.2, service tickets should not contain underscores.
Would it be possible to add in the client configuration an option to enable or disable the use of underscores in ticket generation please ?
Thank you
Hi!
I am currently integrating Keycloak with Omeka via CAS with your plugin. The problem is that i don't now hot to configurate correctly. In Omeka it is requested host, port and uri then I add the following:
Host: login..cl
Port:
URI: auth/realms//protocol/cas
Resulting in the following redirection "https://login.****.cl/auth/realms/****/protocol/cas/login?service=http%3A%2F%2Fbiblioteca.****.cl%2Fadmin%2Fusers%2Flogin%2F" (**** is the domain name demo) but in keycloak give me a internal server error.
In keycloak i configured the following:
Client id: biblioteca
Client Protocol: cas
Root URL: http://biblioteca.****.cl/admin/users/login
Valid Redirect URIs: http://biblioteca.****.cl/admin/users/login
Finally mention that keycloak log is empty.
Greetings and thanks in advance!
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.