Hi,
Hi,
We have some issues about configure Bonita with CAS under tomcat.
We are trying to follow this doc : http://documentation.bonitasoft.com/single-sign-cas
Can someone be more explicite about the different service URL located in the doc ?
…
service=“http://ip_address:port/loginservice”
…
authentication.delegate.cas.service.url=http://ip_address:port/bonita/loginservice
…
Cas.bonitaServiceURL = http://ip_address:port/bonita/loginservice
…
We had the navigator being stopped with this kind or URL :
…%2Fbonita%2Fportal%2Fhomepage%3Fticket%3DST-124430-SX6Oilrlm5a436ogVgnH-cas1%2CST-124439-9xehQsLzPLCvGp0OVPXH-cas1%2CST-124449-UvhDsaQoc0dvpUA25Sss-cas1%2CST-124457-4SZxOa1dH5V4pZRGxJF2-cas1%2CST-124463-dbm6m4gu2v4YcVsg49T7-cas1%2CST-124471-wMl7LgezBBtKMcGSzvCY-cas1%2CST-124482-oA2Fe2wdtf147G0g6LUG-cas1
It had to have only one cas ticket and we don’t understand why we got all these tickets (and of course we don’t succeed in going into Bonita portal)
Here are the logs :
INFO: Platform started successfully
27 mai 2014 16:53:54 org.bonitasoft.engine.EngineInitializer initializeEngine
INFO: Initialization of Bonita Engine done! ( took 23521ms)
27 mai 2014 16:53:55 org.apache.catalina.startup.HostConfig deployDirectory
INFO: Déploiement du répertoire ROOT de l’application web
27 mai 2014 16:53:55 org.apache.coyote.http11.Http11Protocol start
INFO: Démarrage de Coyote HTTP/1.1 sur http-20270
27 mai 2014 16:53:55 org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:20279
27 mai 2014 16:53:55 org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/15 config=null
27 mai 2014 16:53:55 org.apache.catalina.startup.Catalina start
INFO: Server startup in 27849 ms
27 mai 2014 16:54:10 org.bonitasoft.console.common.server.login.datastore.LoginDatastore login
GRAVE: Error while logging in on the engine API.
27 mai 2014 16:54:13 org.bonitasoft.console.common.server.login.datastore.LoginDatastore login
GRAVE: Error while logging in on the engine API.
27 mai 2014 16:54:16 org.bonitasoft.console.common.server.login.datastore.LoginDatastore login
GRAVE: Error while logging in on the engine API.
27 mai 2014 16:54:20 org.bonitasoft.console.common.server.login.datastore.LoginDatastore login
GRAVE: Error while logging in on the engine API.
27 mai 2014 16:54:23 org.bonitasoft.console.common.server.login.datastore.LoginDatastore login
GRAVE: Error while logging in on the engine API.
As I explain to Delphine, we have succeded in configuring SSO CAS with Bonita.
There were 2 mistaken according to us in the given documentation.
Hello, what is your edition of Bonita ? SSO is not available per default with the Community edition. You light have to change some code in the authentication files.
Hello,
we are in 6.3 SP version, not community one.
You are kind…but you don’t have read my topic…Iv’ said that we are trying to follow this doc…
Sorry… You have a SP version, do you have access to Bonitasoft technical support ? I will ping them about this issue.
Yes I have tried…but they have no response…just it is not Bonita problem
Hello, our Support team will take your issue into consideration. Could you please open a new case on that issue?
Hi Romain,
You may be right about the fact that the URL your asking about are a bit confusing since they should point to the same URL (the bonita web application entry point). But each one of theses are used by services that do not know each other:
- service=“http://ip_address:port/loginservice” is in the JAAS configuration and is not visible outside JAAS
- authentication.delegate.cas.service.url=http://ip_address:port/bonita/loginservice is used in the CAS authenticator delegate to provide a service to the authentication (see CAS protocol for more information) when the anonymous user is required on the platform (may not be your case since it will be Bonita platform that will handle authentication process with the CAS server directly)
- Cas.bonitaServiceURL = http://ip_address:port/bonita/loginservice is used by the web component. It is send in the redirection to CAS when authentication has failed. However, in general, it uses the current bonita URL as CAS service to authenticate.
About the several tickets in the URL, it may happen if you try to login several times to bonita via CAS and that works in CAS but fails in Bonita : the first time, you are redirected to CAS with a bonita URL that does not have any ticket, you login successfully to CAS and are redirected to Bonita but Bonita fails to check the ticket. It redirects you to the CAS server with the current URL as the service which now contains a ticket. You, once more, login successfully to CAS and are redirected to the bonita service URL (that contained the former ticket) with a new ticket, Bonita fails to authenticate the ticket, etc… Thus, it should not happen if there is no error on the Bonita ticket check. So we need to see what happens there.
I think the first thing to do would be change the log level to FINE in order to see the details of the failed authentication on the bonita server.
The support team will be following up this issue from now on. They will come back to you once the ticket will be created and we will help you from there.
Regards
Could you please share the mistakes with the Community ?
To make our SSO CAS working with bonita, we have noticed that :
-
the cas jar has to be copied under webapps/bonita/WEB-INF/lib and not tomcat/lib
-
this file has to be modified bonita-home/server/tenants/1/conf/bonita-server.properties and not this one bonita-home/server/platform/tenant-template/conf/bonita-server.properties
Thank you very much Romain, we will inform our doc team.
However the SSO doesn’t work when we try to access directly to the process throught URL.
Hello romain,
Can you put a link to the url you are using to access your process?
Hi mehdi,
is is something like : https://xxxxx.fr/bonita/portal/homepage?locale=fr&ui=form#form=DEMUL--2.0$entry&process=6814683604632302020&mode=form
First time nothing is happening after login CAS, and the second time you launch it is working.
I just need, as you understand, to have access the first attempt !
For your information our documentation has been updated according to Romain’s inputs. Thank you Romain for your contribution.
Hi romain,
The thing to know is that we are using the URL fragment identifier (the # part of the URL) to hold the state of where you are in the bonita portal.
This fragment identifier is kind of special because it is held strictly on the client side (in the browser).
When you use the CAS protocol, the application relying on CAS needs to validate authentication with a ticket that the CAS server provide when the user is CAS-authenticated.
Thus, like I said in my long comment above, when you haven’t got any session locally in bonita, it sends you to the CAS app for you to obtain a ticket.
When doing this redirection, which is managed server-side and that do not have the fragment identifier information, you therefore lose it… and when you obtain the ticket and be redirected to bonita, can’t have it back.
If you already have a bonita session, you are not redirected to CAS and therefore you do not lose this fragment identifier and can go directly to the Form you wanted to access.
You cannot currently go to the form at first attempt when you’re not logged in. It is a limitation we have come to when implementing this feature…
Regards
Hi Julien,
Thanks for your response, even if it wasn’t what I expected.
To put it in a nutshell, we can’t currently use direct URL with CAS. What a pity…
Regards,