Apereo CAS - Integrations with Apache Syncope

Posted by Misagh Moayyed on November 02, 2022 · 6 mins read ·
Content Unavailable
Your browser is blocking content on this website. Please check your browser settings and try again.

Apache Syncope is a powerful, open-source Java-based enterprise-ready solution that at its core provides services for identity management, synchronization, and provisioning of accounts across repositories. Apereo CAS offers several integration strategies with Apache Syncope that specifically relate to authentication, attribute resolution and account management, etc. Such options empower both solutions to take advantage of each other’s core competencies and, when combined, provide a powerful, feature-rich, and extensible open-source IAM solution for enterprise deployments.

Note
Apache Syncope 3.0.0 Maggiore, about to be released as of this writing, offers a built-in Web Access or WA module that acts as a central hub for authentication, authorization and single sign-on based on Apereo CAS. More on this later!

In this post, we will briefly take a look at a few options that allow for a seamless integration between Apereo CAS and Apache Syncope. This tutorial specifically requires and focuses on:

Authentication

Apache Syncope can act as the central repository and identity store of CAS-enabled accounts. Once CAS receives credentials from the end user, it can take advantage of Syncope’s REST APIs to submit user credentials to Syncope for validation. The resulting payload upon success may also pass back a representation of the authenticated user account that would then be employed and consumed by CAS to build a single sign-on session.

Assuming you have prepared your CAS to build to include the appropriate Apache Syncope integration module, the following settings at a minimum should handle this integration:

cas.authn.syncope.url=...
cas.authn.syncope.domain=Master

Attributes

The source you wish to use for authentication may not necessarily be the same place where user attributes can be found. This separation of concerns allows for use cases where user credentials may be found and validated in one account store, i.e. LDAP, and attributes and various other entitlements could ve fetched from a separate source such as Apache Syncope. In doing so, the following settings at a minimum should handle this type of setup:

cas.authn.attribute-repository.syncope.url=...
cas.authn.attribute-repository.syncope.basic-auth-username=...
cas.authn.attribute-repository.syncope.basic-auth-password=...
cas.authn.attribute-repository.syncope.search-filter=username=={user}

Authorization

Whether as part of a direct authentication attempt or a separate attribute resolution request, the accepted user profile from Apache Syncope may contain assigned user roles that are translated by CAS into a syncopeUserRoles attribute. We could then take advantage of the Attribute-based Access Control functionality in CAS and set up authorization rules for applications based on user roles:

{
  "@class" : "org.apereo.cas.services.CasRegisteredService",
  "serviceId" : "^https://app.example.org",
  "name" : "Application",
  "id" : 1,
  "accessStrategy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "requiredAttributes" : {
      "@class" : "java.util.HashMap",
      "syncopeUserRoles" : [ "java.util.HashSet", [ "admin" ] ]
    }
  }
}

This means, to access this application the authenticated user must have a syncopeUserRoles attribute with the value of admin among the available attribute values and roles found from Apache Syncope.

Provisioning of External Accounts

When you are handing off the authentication task to an external identity provider, CAS may be then configured to extract user profiles from the identity provider’s response and provision those into target systems via Apache Syncope, allowing you optionally to link external/guest accounts with their equivalent found in the authentication source used by CAS, etc.

cas.authn.syncope.provisioning.enabled=true
cas.authn.syncope.provisioning.url=...
cas.authn.syncope.provisioning.realm=...
cas.authn.syncope.provisioning.basic-auth-username=...
cas.authn.syncope.provisioning.basic-auth-password=...

Self-service Account Sign-up

CAS provides a modest workflow to handle self-service account registration which allows users to sign up for accounts with CAS, provide details, activate their account, and begin using CAS. Such account registration requests may be sent to Apache Syncope for provisioning and follow-up processes.

cas.account-registration.provisioning.syncope.url=...
cas.account-registration.provisioning.syncope.basic-auth-username=...
cas.account-registration.provisioning.syncope.basic-auth-password=...

Need Help?

If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.

So…

I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.

Happy Coding,

Misagh Moayyed