For the CAS Authorization Method, the Login URL must
usually be HTTPS (a CAS server requirement). It also must point to
the actual CAS login service, not a wrapper. This is because
the Search Appliance will also map the /login part of the URL to /serviceValidate and other standard CAS services for ticket
validation after login. Thus a URL such as https://cas.example.com/cas/login?service=%REFERER% should be
used for Login URL for CAS.
The CAS server must also be configured to work with the Search Appliance.
When configuring, be sure to use a URL pattern that matches all
possible Search Appliance search and admin URLs, e.g. one that
matches at least
https://appliance.example.com/texis/....
Consult your CAS server documentation for how to configure these items:
- The Search Appliance must be allowed to use CAS. This typically
involves ensuring its URLs (see above) match a list or pattern of
permitted URLs. For an Apereo CAS server, this may involve
ensuring the serviceId setting of the appropriate config
file (e.g. HTTPSandIMAPS-10000001.json) matches
Search Appliance URLs. Lack of permission may result in an error
such as "Application Not Authorized to Use CAS" from the
CAS server when the user attempts to search, and is redirected to
the CAS login.
- The Search Appliance must be allowed to proxy. For Apereo CAS, this
may involve setting a proxyPolicy pattern (e.g. via JSON).
Lack of proxy permission may result in an error such as INVALID_PROXY_CALLBACK from the Search Appliance during searches.
- All CAS-protected services that may be walked and appear in
Results Authorization search results must allow the Search Appliance to
proxy them. For Apereo CAS, this may involve setting the allowedProxyChains parameter in the CAS Validation Filter.
Lack of this permission may result in these services always being
rejected (via HTTP 500 Server Error) as unauthorized, and not
shown in search results.
- Depending on the CAS server's configuration, the Search Appliance may
have to be accessed via an HTTPS/SSL URL.
Make sure Enable HTTPS Server is Y under System
Wide Settings.
- The CAS server may also need to trust the Search Appliance's SSL
certificate, i.e. have that certificate's CA in its trust store.
Lack of trust may also result in an INVALID_PROXY_CALLBACK error.
If encountering problems configuring CAS with Results Authorization,
be sure to check the CAS server log files for information that may
help diagnose the issue. Also note that Results Authorization with
CAS is not currently supported for Meta Search.
Copyright © Thunderstone Software Last updated: Nov 8 2024