Chapter 11. CAS Authentication

CAS is an open-source Single Sign On (SSO) provider that allows multiple applications and services to authenticate against it and brokers those authentication requests to a back-end authentication provider. This module allows Guacamole to redirect to CAS for authentication and user services. This module must be layered on top of other authentication extensions that provide connection information, as it only provides user authentication.

Downloading the CAS authentication extension

The CAS authentication extension is available separately from the main guacamole.war. The link for this and all other officially-supported and compatible extensions for a particular version of Guacamole are provided on the release notes for that version. You can find the release notes for current versions of Guacamole here: http://guacamole.apache.org/releases/.

The CAS authentication extension is packaged as a .tar.gz file containing only the extension itself, guacamole-auth-cas-1.1.0.jar, which must ultimately be placed in GUACAMOLE_HOME/extensions.

Installing CAS authentication

Guacamole extensions are self-contained .jar files which are located within the GUACAMOLE_HOME/extensions directory. If you are unsure where GUACAMOLE_HOME is located on your system, please consult Chapter 5, Configuring Guacamole before proceeding.

To install the CAS authentication extension, you must:

  1. Create the GUACAMOLE_HOME/extensions directory, if it does not already exist.

  2. Copy guacamole-auth-cas-1.1.0.jar within GUACAMOLE_HOME/extensions.

  3. Configure Guacamole to use CAS authentication, as described below.

Configuring Guacamole for CAS Authentication

The CAS authentication extension provides two configuration properties, both of which are required.

cas-authorization-endpoint

The URL of the CAS authentication server. This should be the full path to the base of the CAS installation.

cas-redirect-uri

The URI to redirect back to upon successful authentication. Normally this will be the full URL of your Guacamole installation.

cas-clearpass-key

If using CAS ClearPass to pass the SSO password to Guacamole, this parameter specifies the private key file to use to decrypt the password. See the section on ClearPass below.

Completing the installation

Guacamole will only reread guacamole.properties and load newly-installed extensions during startup, so your servlet container will need to be restarted before CAS authentication can be used. Doing this will disconnect all active users, so be sure that it is safe to do so prior to attempting installation. When ready, restart your servlet container and give the new authentication a try.

Using CAS ClearPass

CAS has a function called ClearPass that can be used to cache the password used for SSO authentication and make that available to services at a later time. Configuring the CAS server for ClearPass is beyond the scope of this article - more information can be found on the Apereo CAS wiki at the following URL: https://apereo.github.io/cas.

Once you have CAS configured for credential caching, you need to configure the service with a keypair for passing the credential securely. The public key gets installed on the CAS server, while the private key gets configured with the cas-clearpass-key property. The private key file needs to be in RSA PKCS8 format.