SSO CAS Configuration Bonita
Hi,
Hi,
We have some issues about configure Bonita with CAS under tomcat.
We are trying to follow this doc : http://documentation.bonitasoft.com/single-sign-cas
Can someone be more explicite about the different service URL located in the doc ? ... service="http://ip_address:port/loginservice" ... authentication.delegate.cas.service.url=http://ip_address:port/bonita/loginservice .... Cas.bonitaServiceURL = http://ip_address:port/bonita/loginservice ....
We had the navigator being stopped with this kind or URL : ....%2Fbonita%2Fportal%2Fhomepage%3Fticket%3DST-124430-SX6Oilrlm5a436ogVgnH-cas1%2CST-124439-9xehQsLzPLCvGp0OVPXH-cas1%2CST-124449-UvhDsaQoc0dvpUA25Sss-cas1%2CST-124457-4SZxOa1dH5V4pZRGxJF2-cas1%2CST-124463-dbm6m4gu2v4YcVsg49T7-cas1%2CST-124471-wMl7LgezBBtKMcGSzvCY-cas1%2CST-124482-oA2Fe2wdtf147G0g6LUG-cas1
It had to have only one cas ticket and we don't understand why we got all these tickets (and of course we don't succeed in going into Bonita portal)
Here are the logs : INFO: Platform started successfully 27 mai 2014 16:53:54 org.bonitasoft.engine.EngineInitializer initializeEngine INFO: Initialization of Bonita Engine done! ( took 23521ms) 27 mai 2014 16:53:55 org.apache.catalina.startup.HostConfig deployDirectory INFO: Déploiement du répertoire ROOT de l'application web 27 mai 2014 16:53:55 org.apache.coyote.http11.Http11Protocol start INFO: Démarrage de Coyote HTTP/1.1 sur http-20270 27 mai 2014 16:53:55 org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:20279 27 mai 2014 16:53:55 org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/15 config=null 27 mai 2014 16:53:55 org.apache.catalina.startup.Catalina start INFO: Server startup in 27849 ms 27 mai 2014 16:54:10 org.bonitasoft.console.common.server.login.datastore.LoginDatastore login GRAVE: Error while logging in on the engine API. 27 mai 2014 16:54:13 org.bonitasoft.console.common.server.login.datastore.LoginDatastore login GRAVE: Error while logging in on the engine API. 27 mai 2014 16:54:16 org.bonitasoft.console.common.server.login.datastore.LoginDatastore login GRAVE: Error while logging in on the engine API. 27 mai 2014 16:54:20 org.bonitasoft.console.common.server.login.datastore.LoginDatastore login GRAVE: Error while logging in on the engine API. 27 mai 2014 16:54:23 org.bonitasoft.console.common.server.login.datastore.LoginDatastore login GRAVE: Error while logging in on the engine API.
As I explain to Delphine, we have succeded in configuring SSO CAS with Bonita. There were 2 mistaken according to us in the given documentation.
Comments
Could you please share the mistakes with the Community ?
Thank you very much Romain, we will inform our doc team.
Hello romain,
Can you put a link to the url you are using to access your process?
For your information our documentation has been updated according to Romain's inputs. Thank you Romain for your contribution.
Hi romain,
The thing to know is that we are using the URL fragment identifier (the # part of the URL) to hold the state of where you are in the bonita portal. This fragment identifier is kind of special because it is held strictly on the client side (in the browser).
When you use the CAS protocol, the application relying on CAS needs to validate authentication with a ticket that the CAS server provide when the user is CAS-authenticated.
Thus, like I said in my long comment above, when you haven't got any session locally in bonita, it sends you to the CAS app for you to obtain a ticket. When doing this redirection, which is managed server-side and that do not have the fragment identifier information, you therefore lose it... and when you obtain the ticket and be redirected to bonita, can't have it back.
If you already have a bonita session, you are not redirected to CAS and therefore you do not lose this fragment identifier and can go directly to the Form you wanted to access.
You cannot currently go to the form at first attempt when you're not logged in. It is a limitation we have come to when implementing this feature...
Regards
Comments
Hello, what is your edition of Bonita ? SSO is not available per default with the Community edition. You light have to change some code in the authentication files.
Hello, we are in 6.3 SP version, not community one.
You are kind...but you don't have read my topic...Iv' said that we are trying to follow this doc....
Sorry... You have a SP version, do you have access to Bonitasoft technical support ? I will ping them about this issue.
Yes I have tried...but they have no response....just it is not Bonita problem
Hello, our Support team will take your issue into consideration. Could you please open a new case on that issue?
Hi Romain,
You may be right about the fact that the URL your asking about are a bit confusing since they should point to the same URL (the bonita web application entry point). But each one of theses are used by services that do not know each other:
About the several tickets in the URL, it may happen if you try to login several times to bonita via CAS and that works in CAS but fails in Bonita : the first time, you are redirected to CAS with a bonita URL that does not have any ticket, you login successfully to CAS and are redirected to Bonita but Bonita fails to check the ticket. It redirects you to the CAS server with the current URL as the service which now contains a ticket. You, once more, login successfully to CAS and are redirected to the bonita service URL (that contained the former ticket) with a new ticket, Bonita fails to authenticate the ticket, etc... Thus, it should not happen if there is no error on the Bonita ticket check. So we need to see what happens there.
I think the first thing to do would be change the log level to FINE in order to see the details of the failed authentication on the bonita server.
The support team will be following up this issue from now on. They will come back to you once the ticket will be created and we will help you from there.
Regards