Additional CAS Setup

 

For the CAS Authorization Method, the Login URL must usually be HTTPS (a CAS server requirement). It also must point to the actual CAS login service, not a wrapper. This is because Webinator will also map the /login part of the URL to /serviceValidate and other standard CAS services for ticket validation after login. Thus a URL such as https://cas.example.com/cas/login?service=%REFERER% should be used for Login URL for CAS.

The CAS server must also be configured to work with Webinator. When configuring, be sure to use a URL pattern that matches all possible Webinator search and admin URLs, e.g. one that matches at least https://webinator.example.com/texis/webinator/.... Consult your CAS server documentation for how to configure these items:

  • Webinator must be allowed to use CAS. This typically involves ensuring its URLs (see above) match a list or pattern of permitted URLs. For an Apereo CAS server, this may involve ensuring the serviceId setting of the appropriate config file (e.g. HTTPSandIMAPS-10000001.json) matches Webinator URLs. Lack of permission may result in an error such as "Application Not Authorized to Use CAS" from the CAS server when the user attempts to search, and is redirected to the CAS login.

  • Webinator must be allowed to proxy. For Apereo CAS, this may involve setting a proxyPolicy pattern (e.g. via JSON). Lack of proxy permission may result in an error such as INVALID_PROXY_CALLBACK from Webinator during searches.

  • All CAS-protected services that may be walked and appear in Results Authorization search results must allow Webinator to proxy them. For Apereo CAS, this may involve setting the allowedProxyChains parameter in the CAS Validation Filter. Lack of this permission may result in these services always being rejected (via HTTP 500 Server Error) as unauthorized, and not shown in search results.

  • Depending on the CAS server's configuration, Webinator may have to be accessed via an HTTPS/SSL URL.

  • The CAS server may also need to trust Webinator's SSL certificate, i.e. have that certificate's CA in its trust store. Lack of trust may also result in an INVALID_PROXY_CALLBACK error.

If encountering problems configuring CAS with Results Authorization, be sure to check the CAS server log files for information that may help diagnose the issue. Also note that Results Authorization with CAS is not currently supported for Meta Search.


Copyright © Thunderstone Software     Last updated: Mar 7 2019
Copyright © 2019 Thunderstone Software LLC. All rights reserved.