Skip to main content

CAS

1. Create configuration file

The default data directory is /data/mingdao/script/volume/sso/sso.json.

Note: If you still encounter a 404 error after mounting, you can copy the content to json.cn to chec if the JSON format is valid.

{
"mode": "common-cas",
"name": "cas",
"cas": {
"casUrl": "",
"myserviceUrl": "",
"serviceValidate": "/serviceValidate",
"login": "/login",
"logout": "/logout",
"casParams": {
"UserId": "{{&user}}",
"Name": "{{&attributes.name}}",
"Email": "{{&user}}@test.com"
},
"autoRegister": true,
"projectId": ""
}
}

Parameters and Descriptions

ParameterTypeRequiredDescription
cas.casUrlStringYesThe URL of the CAS identity server
cas.myserviceUrlStringYesThe URL of the CAS single sign-on service; set it as {server}/orgsso
cas.serviceValidateStringYesThe path for validating the ticket; access casUrl+serviceValidate for ticket authentication
cas.loginStringYesThe path for logging in; access casUrl+login for authorization and authentication
cas.logoutStringYesThe path for logging out; access casUrl+logout for CAS to exit the authorization state
cas.casParamsObjectYesField mapping for returning user information, key as fixed fields; value configured based on actual user information; Parameter Configuration
cas.params.UserIdStringYesUnique user identifier
cas.params.NameStringNoName, will overwrite if user already exists
cas.params.EmailStringNoEmail; must be set if searching or registering by email; Either email or mobile must be set; if already bound to a third-party relationship, users can be found through the relationship, email or mobile can be unset
cas.params.MobileStringNoMobile number; must be set if searching or registering by mobile
autoRegisterBooleanNoWhether to automatically create an account if it does not exist; default to true
projectIdStringYesOrganization ID in HAP; Org Admin > Organization > Basics > Org ID(This parameter is not needed if it is a multi-organization single sign-on, See Step 3), like 1x-2x-3x-4x-5x

Interaction Diagram

ticket

The result of user information returned by CAS must be in XML format, as other formats are not supported. Configure the mapping fields in casParams based on the returned result, for example:

<cas:serviceResponse xmlns:cas=\"http://www.yale.edu/tp/cas\">
<cas:authenticationSuccess>
<cas:user>test</cas:user>
<cas:attributes>
<cas:name>Jack</cas:name>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>

The configuration for casParams is as follows:

"casParams": {
"UserId": "{{&user}}",
"Name": "{{&attributes.name}}",
"Email": "{{&user}}@test.com"
}

2. Mount configuration file

Create a file and add CAS identity service synchronous logout configuration, /data/mingdao/script/volume/wwwapi/appextensions.json by default, with the following content:

{
"AppSettings": {
"EnableSsoLogoutRedirect": true
}
}

Modify the docker-compose.yaml of the microservice application, and the default path is /data/mingdao/script/docker-compose.yaml. add file mounting in volumes, and restart the microservice application.

- ./volume/sso/sso.json:/usr/local/MDPrivateDeployment/sso/OptionFile/sso.json
- ./volume/wwwapi/appextensions.json:/usr/local/MDPrivateDeployment/wwwapi/appextensions.json

If you need to bind a third-party association ID, you need to create the file extend.json. The default path is /data/mingdao/script/volume/sso/extend.json and the content is as follows

{
"relation": true
}

Add mounting files

- ./volume/sso/extend.json:/usr/local/MDPrivateDeployment/sso/extend.json
tip

After the mounting configuration is completed, the microservice application needs to be restarted. After the restart is successful, you can access the {server}/orgsso/checkssoconfig interface through GET to check whether the configuration file is successfully mounted.

3. Single sign-on

Single Organization Access in your browser: {server}/orgsso/cas?returnUrl={returnUrl}

Multiple Organizations Access in your browser: {server}/orgsso/cas?returnUrl={returnUrl}&appKey={appKey}&sign={sign}&timestamp={timestamp}&projectId={projectId}

For multi-organization projectId needs to be passed through parameters, and enterprise authorization authentication parameters are also required;

For enterprise authentication and authorization signature algorithm, please refer to: https://www.showdoc.com.cn/mingdao/15539798

note

{server} is the HAP system address, for example, it can be replaced with: http://192.168.10.20:8880

{returnUrl} is the jump address after successful login, does not need to be filled in; for example, if you need to jump to the application page, it can be replaced with: http://192.168.10.20:8880/app/cf595091-e3ac-4669 -a320-068e55533c33/64477b37df36209b5f36f1cf/64477b4f61655012a90ed994?from=insite

If an SSO Error prompt appears during the access process, you can log in to the HAP system through the administrator account, click the avatar in the upper right corner: System Configuration > Log; search for the service name as sso, and check the specific cause of the error.