[GeoNetwork-users] What is the expected behaviour of CAS + database config ?

Hi,

I'm trying to configure a GN4 instance with an external CAS service.

By reading the doc <https://geonetwork-opensource.org/manuals/4.0.x/en/administrator-guide/managing-users-and-groups/authentication-mode.html#configuring-cas&gt;, to configure the CAS + database service , I understand I have to

  * uncomment config-security-cas.xml and
    config-security-cas-dabatase.xml lines in
    config-security/config-security.xml
  * configure the cas variables in
    config-security/config-security.properties

And this should be enough, right ?

And I understand that what I would get would be:

  * clicking the login button should redirect to CAS authentication
  * authentication is checked against CAS
  * user, if authenticated, would be created (if necessary) in the GN
    database and considered as logged in

Instead, I'm getting only partially working behaviour:

  * If I click on the GN login button and provide my credentials,
    there's no error, but I don't get logged in. I'm redirected to
    catalog.search, but in the GET parameters, I'm seeing a lot of
    stuff, including my password...
  * If the user does not exist yet in the GN DB and is not logged in,
    when asking for a restricted page,
      o I'm forwarded to the CAS login page
      o when I log in, I'm getting a 401 unauthorized response (path is
        http://localhost:8080/geonetwork/login/cas?ticket=ST-108-MwaS2nSBKVvj4AJXGdLN-dsiinpn)
  * If the user was previously created in the GN DB and is not logged
    it, when asking for a restricted page,
      o I'm forwarded to the CAS login page
      o when I've provided my credentials, I appear logged in, but I'm
        not forwarded to the required page, but rather to the home page

So to sum up, it seems that the GN login button does not take the CAS configuration into account, which is quite unfortunate. And GN seems not to be creating authorized users automatically. It seems to me quite unfortunate too.

Have I missed something ? Is it expected behaviour for CAS + database config ?

thanks,

Jean

--

*Jean Pommier -- pi-Geosolutions*

Ingénieur, consultant indépendant

Tél. : (+33) 6 09 23 21 36
E-mail : jp@anonymised.com
Web : www.pi-geosolutions.fr

Hi,

Answering to myself:

  * login button behaviour: you can edit the link in Admin/Settings.
    Adding `?casLogin` in the end would redirect to the configured CAS
    service. So, it can integrate, but not fully since
      o this is not automatic (need a modif in the Settings)
      o the "popup" login form will not use this, so you'd have to
        disable it (CSS ?)
  * users creation: after cooling my head bout this topic, I understand
    we can't expect GN to be able to guess the user profile from only
    the authentication service. One would need a bit more info, which is
    the point of coupling it with LDAP. So, it's not a surprise that you
    have to create the user separately after all

Another question: it seems that when you activate the CAS login mechanism, you're loosing the basic login mechanism (that allows, for instance, to connect as 'admin' initial user). Is there a way to keep both authentication processes in parallel ?

*Jean Pommier -- pi-Geosolutions*

Ingénieur, consultant indépendant

Tél. : (+33) 6 09 23 21 36
E-mail : jp@anonymised.com
Web : www.pi-geosolutions.fr

Le 07/12/2021 à 13:13, Jean Pommier via GeoNetwork-users a écrit :

Hi,

I'm trying to configure a GN4 instance with an external CAS service.

By reading the doc <https://geonetwork-opensource.org/manuals/4.0.x/en/administrator-guide/managing-users-and-groups/authentication-mode.html#configuring-cas&gt;, to configure the CAS + database service , I understand I have to

* uncomment config-security-cas.xml and
config-security-cas-dabatase.xml lines in
config-security/config-security.xml
* configure the cas variables in
config-security/config-security.properties

And this should be enough, right ?

And I understand that what I would get would be:

* clicking the login button should redirect to CAS authentication
* authentication is checked against CAS
* user, if authenticated, would be created (if necessary) in the GN
database and considered as logged in

Instead, I'm getting only partially working behaviour:

* If I click on the GN login button and provide my credentials,
there's no error, but I don't get logged in. I'm redirected to
catalog.search, but in the GET parameters, I'm seeing a lot of
stuff, including my password...
* If the user does not exist yet in the GN DB and is not logged in,
when asking for a restricted page,
o I'm forwarded to the CAS login page
o when I log in, I'm getting a 401 unauthorized response (path is
http://localhost:8080/geonetwork/login/cas?ticket=ST-108-MwaS2nSBKVvj4AJXGdLN-dsiinpn)
* If the user was previously created in the GN DB and is not logged
it, when asking for a restricted page,
o I'm forwarded to the CAS login page
o when I've provided my credentials, I appear logged in, but I'm
not forwarded to the required page, but rather to the home page

So to sum up, it seems that the GN login button does not take the CAS configuration into account, which is quite unfortunate. And GN seems not to be creating authorized users automatically. It seems to me quite unfortunate too.

Have I missed something ? Is it expected behaviour for CAS + database config ?

thanks,

Jean