-
Notifications
You must be signed in to change notification settings - Fork 262
Interrupting a CAS Login Session (6.x or greater)
You can force any login that is made through CAS to be interrupted by PWM by using a "checkAll" method within PWM. If any "force" options are selected within PWM then these items will be checked and the user, before going on to their destination, will have to update their information.
CAS setup, ClearPass enabled and Interrupts enabled using groovy
https://apereo.github.io/cas/development/webflow/Webflow-Customization-Interrupt.html
CAS settings would look like
cas.interrupt.core.force-execution=true
cas.interrupt.core.trigger-mode=AFTER_SSO
cas.interrupt.groovy.location=file:/etc/cas/scripts/interrupt.groovy
PWM setup using CAS SSO for Login with ClearPass
Check PWM for a redirect whitelist under Settings > Security > Web Security > Redirect Whitelist
checkExpire - Checks password expiration only
checkResponses - Checks if security questions have been configured
checkProfile - Checks the user's profile with the defined settings in the Update Profile module
checkAll - Checks everything
In the script, adjust value for pwm_check and pwm_url as needed.
import org.apereo.cas.interrupt.InterruptResponse
import org.apereo.cas.web.support.*
import org.apereo.cas.util.*
def run(final Object... args) {
def principal = args[0]
def attributes = args[1]
def service = args[2]
def registeredService = args[3]
def requestContext = args[4]
def logger = args[5]
//Set below to true/false to enable/disable the script instead of changing cas.properties when it needs to be turned off
interrupt_enabled = true;
//Defaults
message = "";
redirect_to = [link1: ""];
block = false;
sso_enabled = true;
interrupt_flow = false;
auto_redirect = true;
if (interrupt_enabled) {
logger.debug("Interrupt: Feature is enabled, evaluating for actions");
logger.debug("Interrupt: Principal {}", principal.id);
logger.debug("Interrupt: Attributes {}", attributes);
logger.debug("Interrupt: Service {}", service);
logger.debug("Interrupt: Registered Service {}", registeredService);
if (registeredService) {
svc_ticket = WebUtils.getServiceTicketFromRequestScope(requestContext);
svc_location = WebUtils.getService(requestContext);
// checkExpire = Checks password expiration only
// checkResponses = Checks if security questions have been configured
// checkProfile = Checks the user's profile with the defined settings in the Update Profile module
// checkAll = Checks everything
pwm_check = "checkAll";
pwm_url = "https://pwm.domain.com/pwm/private/CommandServlet?processAction=" + pwm_check + "&forwardURL=" + svc_location + "&ticket=" + svc_ticket;
auto_redirect = true;
interrupt_flow = true;
redirect_to = [link1: pwm_url];
}
} else {
logger.debug("Interrupt: Feature is disabled, not evaluating for actions");
}
return new InterruptResponse(message: message, links: redirect_to, block: block, ssoEnabled: sso_enabled, interrupt: interrupt_flow, autoRedirect: auto_redirect);
}