Skip to content

Interrupting a CAS Login Session (6.x or greater)

Jason A. Everling edited this page Jun 28, 2023 · 6 revisions

You can force any login that is made through CAS to be interrupted by PWM by using a "checkAll" method within PWM. If any "force" options are selected within PWM then these items will be checked and the user, before going on to their destination, will have to update their information.

Requirements:

CAS setup, ClearPass enabled and Interrupts enabled using groovy
https://apereo.github.io/cas/development/webflow/Webflow-Customization-Interrupt.html

CAS settings would look like

cas.interrupt.core.force-execution=true
cas.interrupt.core.trigger-mode=AFTER_SSO
cas.interrupt.groovy.location=file:/etc/cas/scripts/interrupt.groovy

PWM setup using CAS SSO for Login with ClearPass

Info:

Check PWM for a redirect whitelist under Settings > Security > Web Security > Redirect Whitelist

Commands for check action.

checkExpire - Checks password expiration only
checkResponses - Checks if security questions have been configured
checkProfile - Checks the user's profile with the defined settings in the Update Profile module
checkAll - Checks everything

Create a new groovy script, named interrupt.groovy for example

In the script, adjust value for pwm_check and pwm_url as needed.

import org.apereo.cas.interrupt.InterruptResponse
import org.apereo.cas.web.support.*
import org.apereo.cas.util.*

def run(final Object... args) {
    def principal = args[0]
    def attributes = args[1]
    def service = args[2]
    def registeredService = args[3]
    def requestContext = args[4]
    def logger = args[5]
        
    //Set below to true/false to enable/disable the script instead of changing cas.properties when it needs to be turned off
    interrupt_enabled = true;

    //Defaults
    message = "";
    redirect_to = [link1: ""];
    block = false;
    sso_enabled = true;
    interrupt_flow = false;
    auto_redirect = true;
    
    if (interrupt_enabled) {
        logger.debug("Interrupt: Feature is enabled, evaluating for actions");
        logger.debug("Interrupt: Principal {}", principal.id);
        logger.debug("Interrupt: Attributes {}", attributes);
        logger.debug("Interrupt: Service {}", service);
        logger.debug("Interrupt: Registered Service {}", registeredService);

        if (registeredService) {
            svc_ticket = WebUtils.getServiceTicketFromRequestScope(requestContext);
            svc_location = WebUtils.getService(requestContext);
            
            // checkExpire = Checks password expiration only
            // checkResponses = Checks if security questions have been configured
            // checkProfile = Checks the user's profile with the defined settings in the Update Profile module
            // checkAll = Checks everything
            pwm_check = "checkAll";
            pwm_url = "https://pwm.domain.com/pwm/private/CommandServlet?processAction=" + pwm_check + "&forwardURL=" + svc_location + "&ticket=" + svc_ticket;
            
            auto_redirect = true;
            interrupt_flow = true;
            redirect_to = [link1: pwm_url];
        }
    } else {
        logger.debug("Interrupt: Feature is disabled, not evaluating for actions");
    }
    return new InterruptResponse(message: message, links: redirect_to, block: block, ssoEnabled: sso_enabled, interrupt: interrupt_flow, autoRedirect: auto_redirect);

}    

Clone this wiki locally