The following guide explains how the University of California, Merced modified Sun Identity Manager (IDM) to implement CAS single sign on for the IDM user interface. This document was originally written when we were running IDM 5.0. I have since edited the code on this page so that the code should work on IDM 7.1.
CAS Resource Adapter
Compile and put edu.ucmerced.idm.resource.CASResourceAdapter in the class path of your deployed Identity Manager server. The code is attached at the bottom of this page.
Also download the CAS client and put casclient.jar in your deployed IDM's WEB-INF/lib (we're using CAS 2.0).
Configuring Identity Manager
Log in as Configurator.
Click Resources tab.
Click Configure Managed Resources button.
Add edu.ucmerced.idm.resource.CASResourceAdapter as a custom resource and click Save.
Go back to the Resources tab.
Select the CAS resource using the pull-down on the bottom of the page.
This will take you through the Create CAS Resource Wizard. There is nothing to configure for this resource. Just keep clicking Next and then Save on the last page.
Click the Configure tab.
Click Login on the left menu.
Click Manage Login Module Groups.
Set up a new group or edit your existing one. We create a new group with nothing but the CAS module
When editing the login group, select CAS Login Module from the pull-down menu. Select CAS from the pull-down menu that appears to the right.
Select the login success requirement. We use required, but you may want something different if you're using multiple modules for the group (refer to the Identity Manager documentation for the definitions of the different types).
If you created a new login module group, go back to Configure -> Login, and select the User Interface link. Remove the default module group and add the one you created. Click Save.
IMPORTANT: For every person you want to be able to allow to log in through CAS, you must assign the CAS resource to their IDM account. If CAS authentication succeeds but they don't have the CAS resource assigned, you will probably see a Java exception being thrown on the IDM server when CAS redirects to IDM. If you have an environment where you only want some of your CAS-enabled people to log into IDM and you want to gracefully handle the people who try to log in to IDM but aren't allowed, then you will have to invest some more time in determining a solution for this problem. For us, we simply assign everybody with an IDM account the CAS resource, and we do finer grained access control using IDM account attributes.
web.xml for Identity Manager
Add something that looks like this your WEB-INF/web.xml file:
To handle logout properly, you need to both log out of CAS and to log out of the IDM session. To do this, edit user/userLogout.jsp where your IDM application is deployed and change the following:
This will first log you out of IDM then redirect to the CAS logout URL which will take care of the CAS logout. It will then redirect to https://idmserver.school.edu/idm/user/, which will ask the user to log back into IDM. You may want to redirect to a different URL, perhaps a page that notifies the user that he or she has been logged out. See user/staticUserLogout.jsp for an example, but if you use this, you will have to move it outside of the /user directory because it is CAS protected and the user won't be able to see it after they log out.