CAS
1. Create configuration file
The default data directory is
/data/hap/script/volume/sso/sso.json.
Note: If you still encounter a 404 error after mounting, you can copy the content to json.cn to chec if the JSON format is valid.
{
"mode": "common-cas",
"name": "cas",
"cas": {
"casUrl": "",
"myserviceUrl": "",
"serviceValidate": "/serviceValidate",
"login": "/login",
"logout": "/logout",
"casParams": {
"UserId": "{{&user}}",
"Name": "{{&attributes.name}}",
"Email": "{{&user}}@test.com"
},
"autoRegister": true,
"projectId": ""
}
}
Parameters and Descriptions
| Parameter | Type | Required | Description |
|---|---|---|---|
| cas.casUrl | String | Yes | The URL of the CAS identity server |
| cas.myserviceUrl | String | Yes | The URL of the CAS single sign-on service; set it as {server}/orgsso |
| cas.serviceValidate | String | Yes | The path for validating the ticket; access casUrl+serviceValidate for ticket authentication |
| cas.login | String | Yes | The path for logging in; access casUrl+login for authorization and authentication |
| cas.logout | String | Yes | The path for logging out; access casUrl+logout for CAS to exit the authorization state |
| cas.casParams | Object | Yes | Field mapping for returning user information, key as fixed fields; value configured based on actual user information; Parameter Configuration |
| cas.params.UserId | String | Yes | Unique user identifier |
| cas.params.Name | String | No | Name, will overwrite if user already exists |
| cas.params.Email | String | No | Email; must be set if searching or registering by email; Either email or mobile must be set; if already bound to a third-party relationship, users can be found through the relationship, email or mobile can be unset |
| cas.params.Mobile | String | No | Mobile number; must be set if searching or registering by mobile |
| autoRegister | Boolean | No | Whether to automatically create an account if it does not exist; default to true |
| projectId | String | Yes | Organization ID in HAP; Org Admin > Organization > Basics > Org ID(This parameter is not needed if it is a multi-organization single sign-on, See Step 3), like 1x-2x-3x-4x-5x |
Interaction Diagram
The result of user information returned by CAS must be in XML format, as other formats are not supported. Configure the mapping fields in casParams based on the returned result, for example:
<cas:serviceResponse xmlns:cas=\"http://www.yale.edu/tp/cas\">
<cas:authenticationSuccess>
<cas:user>test</cas:user>
<cas:attributes>
<cas:name>Jack</cas:name>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
The configuration for casParams is as follows:
"casParams": {
"UserId": "{{&user}}",
"Name": "{{&attributes.name}}",
"Email": "{{&user}}@test.com"
}
2. Mount configuration file
Create a file and add CAS identity service synchronous logout configuration,
/data/hap/script/volume/wwwapi/appextensions.jsonby default, with the following content:
{
"AppSettings": {
"EnableSsoLogoutRedirect": true
}
}
Modify the
docker-compose.yamlof the microservice application, and the default path is/data/hap/script/docker-compose.yaml. add file mounting involumes, and restart the microservice application.
- ./volume/sso/sso.json:/usr/local/MDPrivateDeployment/sso/OptionFile/sso.json
- ./volume/wwwapi/appextensions.json:/usr/local/MDPrivateDeployment/wwwapi/appextensions.json
Enable relationship search
If you need to bind a third-party association ID, you need to create the file
extend.json. The default path is/data/hap/script/volume/sso/extend.jsonand the content is as follows
{
"relation": true
}
Add mounting files
- ./volume/sso/extend.json:/usr/local/MDPrivateDeployment/sso/extend.json
After the mounting configuration is completed, the microservice application needs to be restarted.
After the restart is successful, you can access the {server}/orgsso/checkssoconfig interface through GET to check whether the configuration file is successfully mounted.
3. Single sign-on
Single Organization Access in your browser:
{server}/orgsso/cas?returnUrl={returnUrl}
Multiple Organizations Access in your browser:
{server}/orgsso/cas?returnUrl={returnUrl}&appKey={appKey}&sign={sign}×tamp={timestamp}&projectId={projectId}
For multi-organization projectId needs to be passed through parameters, and enterprise authorization authentication parameters are also required;
For enterprise authentication and authorization signature algorithm, please refer to: https://www.showdoc.com.cn/mingdao/15539798
{server} is the HAP system address, for example, it can be replaced with: http://192.168.10.20:8880
{returnUrl} is the jump address after successful login, does not need to be filled in; for example, if you need to jump to the application page, it can be replaced with: http://192.168.10.20:8880/app/cf595091-e3ac-4669 -a320-068e55533c33/64477b37df36209b5f36f1cf/64477b4f61655012a90ed994?from=insite
If an SSO Error prompt appears during the access process, you can log in to the HAP system through the administrator account, click the avatar in the upper right corner: System Configuration > Log; search for the service name as sso, and check the specific cause of the error.