Chapter 9. Advanced Setup options

Table of Contents

9.1. Using External Authentication
9.1.1. How External Authentication works
9.1.2. Important: The AuditConsole User Database
9.2. Authentication with OpenID and Google Accounts
9.2.1. Enabling OpenID/Google SSO in the AuditConsole
9.2.2. Setting the OpenID/Google ID for a User
9.3. Setup Single-Sign-ON with CAS
9.3.1. How CAS works
9.3.2. Preparing the CAS Setup
9.3.3. Setting up the AuditConsole with CAS

This section documents some more advanced setup features such as using external authentication services (currently only CAS). The main benefits of external authentication are

  1. Integration with existing authentication services in your environment
  2. Single-Sign-on solutions, e.g. with CAS
  3. Integration of backend authentication (LDAP, RADIUS, X.509 Client certificates,...) supported by CAS

9.1. Using External Authentication

The AuditConsole is based on the well-known spring framework and makes use of many of the spring-security features. This allows for the use of external authentication methods such as CAS or OpenID.

In this section we will explain how to set up the AuditConsole for use with external authentication method.

9.1.1. How External Authentication works

It is important to note, how external authentication works within the AuditConsole. The following figure outlines the basic concept at the example of CAS (Central Authentication Service).

The outline is roughly as follows (CAS is a bit more complex, see the CAS section for details):

  1. A user accesses the AuditConsole with an non-authenticated request
  2. The user is redirected to the CAS login server
  3. After logging into the CAS, the CAS server issues a ticket for the username
  4. The AuditConsole validates the ticket and loads the authenticated user from the user database

For OpenID authentication things work quite similar. Instead of redirecting, the login-form simple asks for username/password and authenticates using OpenID. This returns some authenticated open-id property which is used to fetch the authenticated user from the AuditConsole user database.

9.1.2. Important: The AuditConsole User Database

An important note with external authentication is, that CAS or OpenID are authentication systems, which means that it they do not provide user management themselves. This means that the authenticated user has to exist in the AuditConsole database beforehand. The AuditConsole will not accept CAS-authenticated users for which there does not exist an Account in the AuditConsole.