Running the Single Sign-On Enable Script

Unknown macro: {scrollbar}

Note: This script was tested on CAS 3.3.3, Spring Security 2.0.5, and CAS client 3.1.5.

While enabling single sign-on (SSO) via CAS in the platform is quite involved, Pentaho has created a script that handles most of the task of enabling SSO via CAS for you.

Warning: The SSO enable script modifies various files within a your Pentaho BI Platform installation. There is no "undo" script. Make backups first!

Requirements

Enterprise Edition only: This feature is not included in the Community Edition release.
Manual deployments only: You can only enable single sign-on by building the pentaho.war from the manual deployments package. SSO is not available through the BI Suite graphical installation utility, or through the pre-configured zip and tar.gz archive packages.

Apache Ant

The SSO enable script is an Apache Ant script. You will need to download and install Ant.

Locating the script

In your Pentaho download, you should have a directory called pentaho-sso. In this directory, you will find the main SSO enable script, along with support files. Below is a overview of those directories and files.

Name

Description

res

Various new resources required by the Pentaho BI Platform.

lib

New JARs required by the Pentaho BI Platform.

build-lib

JARs used during the SSO enable process.

sso-replacements.properties

A properties file containing settings which affect the script behavior.

sso-replacements.xml

The SSO enable script.

Configuring the script

CAS Settings

Most of these are CAS server URLs used by clients ("services" in CAS terminology) of the CAS server.

Property

Description

Required

Sample Value

cas.authn.provider

Security back-end that CAS should use. Valid values are memory, jdbc, hibernate*, or ldap

(tick)

ldap

cas.login.url

CAS login URL.

(tick)

${_cas.base.url}/login

cas.ticket.validator.url

CAS ticket validator URL.

(tick)

${_cas.base.url}

cas.logout.url

CAS logout URL. A service.logout.url will be appended to this URL.

(tick)

${_cas.base.url}/logout?url=

_cas.base.url

URL under which all CAS services reside.

 

{{

https://localhost:8443/cas

}}

* This is default security back-end for the Pentaho BI Server.

Pentaho Settings

These are "service" URLs that serve as callbacks from CAS server into Pentaho.

Property

Description

Required

Sample Value

pentaho.service.url

Processes CAS callback.

(tick)

${_pentaho.service.base.url}/j_spring_cas_security_check

pentaho.service.logout.url

URL to go to after CAS logout.

(tick)

${_pentaho.service.base.url}/index.jsp

pentaho.service.solutions.system.dir

Path to pentaho-solutions/system.

 

 

pentaho.service.lib.dir

Path to webapp lib directory.

 

 

pentaho.service.web.xml

Path (including filename) of webapp's web.xml.

 

 

pentaho.service.appctx.cas.xml

Path (including filename) of new applicationContext-spring-security-cas.xml.

 

 

pentaho.service.jsp.dir

Path to directory containing webapp's JSPs.

 

 

pentaho.service.spring.beans.xml

Path (including filename) of pentaho-spring-beans.xml.

 

 

_pentaho.service.base.url

Service base URL.

 

{{

http://localhost:8080/pentaho

}}

_pentaho.service.pentaho.war.dir

Webapp exploded WAR directory.

 

 

_pentaho.service.webinf.dir

Path to webapp's WEB-INF directory.

 

 

Running the script

Warning: The SSO enable script modifies various files within a your Pentaho BI Platform installation. There is no "undo" script. Make backups first!

There are plenty of Ant targets available in the SSO enable script. However, only a couple are appropriate to run directly. The table below outlines the callable targets.

Ant Target

Description

help

Default target. Displays help information.

sso-pentaho

Modifies the Pentaho BI Platform to use CAS for authentication.

To run the script:

Command Prompt

ant -f sso-replacements.xml sso-pentaho