SAML协议单点登录-CASServer服务端即IDP

下载cas-overlay工程添加maven依赖启用对SAML的支持修改配置文件部署idp常用api

这是一个casserver提供的一个模板示例工程，通过添加不同的maven依赖获取对不同协议的支持
CAS官方文档

cas server 客户端模板下载

选择合适的版本分支下载

        
            org.apereo.cas
            cas-server-support-saml-idp
            ${cas.version}
        
        
            org.apereo.cas
            cas-server-support-saml-idp-core
            ${cas.version}
        

如果有些依赖下载失败，需要声明以下maven存储库

    ...
    
        shibboleth-releases
        https://build.shibboleth.net/nexus/content/repositories/releases
    
    ...

在src/resources下添加application.properties文件

##
# CAS Server Context Configuration
#
server.context-path=/cas
server.port=8443

cas.standalone.configurationDirectory=/etc/cas/config

#server.ssl.key-store=file:/etc/cas/thekeystore
#server.ssl.key-store-password=changeit
#server.ssl.key-password=changeit

server.max-http-header-size=2097152
server.use-forward-headers=true
server.connection-timeout=20000
server.error.include-stacktrace=ALWAYS

server.compression.enabled=true
server.compression.mime-types=application/javascript,application/json,application/xml,text/html,text/xml,text/plain

server.tomcat.max-http-post-size=2097152
server.tomcat.basedir=build/tomcat
server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms)
server.tomcat.accesslog.suffix=.log
server.tomcat.min-spare-threads=10
server.tomcat.max-threads=200
server.tomcat.port-header=X-Forwarded-Port
server.tomcat.protocol-header=X-Forwarded-Proto
server.tomcat.protocol-header-https-value=https
server.tomcat.remote-ip-header=X-FORWARDED-FOR
server.tomcat.uri-encoding=UTF-8

spring.http.encoding.charset=UTF-8
spring.http.encoding.enabled=true
spring.http.encoding.force=true

##
# CAS Cloud Bus Configuration
#
spring.cloud.bus.enabled=false

# Indicates that systemPropertiesOverride can be used.
# Set to false to prevent users from changing the default accidentally. Default true.
spring.cloud.config.allow-override=true

# External properties should override system properties.
spring.cloud.config.override-system-properties=false

# When allowOverride is true, external properties should take lowest priority, and not override any
# existing property sources (including local config files).
spring.cloud.config.override-none=false

# spring.cloud.bus.refresh.enabled=true
# spring.cloud.bus.env.enabled=true
# spring.cloud.bus.destination=CasCloudBus
# spring.cloud.bus.ack.enabled=true

endpoints.enabled=false
endpoints.sensitive=true

endpoints.restart.enabled=false
endpoints.shutdown.enabled=false

# Control the security of the management/actuator endpoints
# The 'enabled' flag below here controls the rendering of details for the health endpoint amongst other things.
management.security.enabled=true
management.security.roles=ACTUATOR,ADMIN
management.security.sessions=if_required
management.context-path=/status
management.add-application-context-header=false

# Define a CAS-specific "WARN" status code and its order
management.health.status.order=WARN, DOWN, OUT_OF_SERVICE, UNKNOWN, UP

# Control the security of the management/actuator endpoints
# With basic authentication, assuming Spring Security and/or relevant modules are on the classpath.
security.basic.authorize-mode=role
security.basic.path=/cas/status/**
# security.basic.enabled=true
# security.user.name=casuser
# security.user.password=

##
# CAS Web Application Session Configuration
#
server.session.timeout=300
server.session.cookie.http-only=true
server.session.tracking-modes=cookie

##
# CAS Thymeleaf View Configuration
#
spring.thymeleaf.encoding=UTF-8
spring.thymeleaf.cache=true
spring.thymeleaf.mode=HTML
spring.thymeleaf.template-resolver-order=100
##
# CAS Log4j Configuration
#
# logging.config=file:/etc/cas/log4j2.xml
server.context-parameters.isLog4jAutoInitializationDisabled=true

##
# CAS AspectJ Configuration
#
spring.aop.auto=true
spring.aop.proxy-target-class=true

##
# CAS Authentication Credentials 默认的cas登录密码
cas.authn.accept.users=admin::zhangtianming
# 启用从json文件中注册应用
cas.serviceRegistry.initFromJson=true
#cas.serviceRegistry.watcherEnabled=true
#cas.serviceRegistry.repeatInterval=120000
#cas.serviceRegistry.startDelay=15000
#cas.serviceRegistry.config.location=classpath:/services

cas.tgc.secure=false
# 请填写实际的ip和端口
cas.server.name=http://localhost:9090
cas.server.prefix=${cas.server.name}/cas_overlay_war

# idp的entityId，请输入idp的实际访问地址
cas.authn.samlIdp.entityId=http://localhost:9090/cas_overlay_war/idp
cas.authn.samlIdp.scope=*

# idp元数据位置，存放idp元数据文件以及密钥文件
cas.authn.samlIdp.metadata.location=classpath:/saml

修改tomcat的maxHttpHeaderSize和maxPostSize为2097152然后打包后放入tomcat启动。

注意：

cas.authn.samlIdp.entityId这个属性一定要配置正确，系统自动生成元数据文件中的entityId就与这个是一致的。SAML客户端也是读取这个元数据文件的entityId拼装单点登录地址的idp元数据示例

 #这个entityId是从配置文件中获取的，请正确进行配置；如果发现不一致的情况，请检查cas.authn.samlIdp.metadata.location的路径下是否已经存在了元数据文件，如果有请删除。
    
        
            SCOPE
        
        
            
              
                  ...
              
            
        
        
            
              
                  ...
              
            
        

        urn:mace:shibboleth:1.0:nameIdentifier
        urn:oasis:names:tc:SAML:2.0:nameid-format:transient

        
        
        
    

由于没有在classpath:/saml中放入元数据文件和密钥文件，所以元数据文件和密钥文件是cas自动生成的

你可以在运行之后在工程的文件中找到生成的元数据文件和密钥文件放入到classpath:/saml下

cas-server的idp元数据文件的命名是固定的，idp-metadata.xml，事实上生成的密钥文件名也是固定的，所以建议直接把CAS自动生成的元数据文件和密钥文件放入到设置的文件

如果需要重新部署的话，建议将之前的工程文件删除干净再重新进行部署，因为CAS如果发现cas.authn.samlIdp.metadata.location下有元数据文件的话将不会自动创建元数据文件。如果是idea进行热部署的时候有可能就出现系统沿用之前的元数据文件，导致你修改的配置没有生效

获取idp元数据文件：http://ip:port/context-path/idp/metadata