SuperMap iManager
简体中文11.0.1

Tutorial

CAS SSO

iManager supports CAS single sign on. CAS (Central Authentication Service) is a Java Open-source project launched by the University of Yale to build Web SSO. When you configure single sign-on, you need to set up CAS authentication server, which is responsible for the completion of user information identification and can be configured in the configuration file.

CAS SSO Introduction

In a perfect GIS system, there may be many servers working together, with iportal and multiple iserver nodes. While accessing to these GIS service nodes, it requires frequent switching between products and nodes. Typically, the accounts of the various GIS server nodes are different, and it is very difficult to remember these usernames and passwords. If you deliberately set the same password for these different GIS server nodes, then the security is further reduced. Moreover, switching among nodes frequently is a waste of time.

Single sign-on is designed to solve these problems. The Single Sign On, SSO refers to Web SSO.

Configure CAS SSO

In the iManager package, configure the docker-compose.yml configuration file in the root directory after unzipping to add the following configuration information into the environment of imanager and add ip of the CAS host into ALLOW_HOSTS environment of imanager-ui. 

CAS_LOGIN_URL=http://demo.cubic.com:8088/cas/login
CAS_ROLE_ATTRIBUTES=role
CAS_PROTOCOL=SAML
CAS_ADMIN_ROLES=cas_SYSTEM
CAS_LOGIN_ENABLE=true
CAS_LOGOUT_URL=http://demo.cubic.com:8088/cas/logout

Addtoimgrenvironmenten

Add_ip_en

Note:
Add the above configuration information (for example), restart iManager and ensure that the time difference between the iManager host and the CAS host is within 3 minutes to enable CAS authentication login for iManager. If CAS login validation passed, it will automatically jump to the iManager interface.

  • CAS_LOGIN_URL: The configured CAS server address. For example: http://demo.cubic.com:8088/cas/login.
  • CAS_ROLE_ATTRIBUTES: CAS user property field, which is the identity field for the user identity in CAS. It can be set by users, such as role.
  • CAS_PROTOCOL: CAS authentication protocol. The default is SAML, and if no special requirement are required, no modification is recommended. Supported protocols: CAS10, CAS20, CAS20_PROXY, CAS30, CAS30_PROXY and SAML.
  • CAS_ADMIN_ROLES: If the value for “role” is cas_SYSTEM, the user has iManager administrator permissions; if the value of “role” is not cas_SYSTEM, then the user has normal user permissions for iManager. Here cas_SYSTEM is an example.
  • CAS_LOGIN_ENABLE: Whether to start CAS single sign-on, and the default is False. When set to True, click the “Use CAS login” button to jump to the CAS login page.
  • CAS_LOGOUT_URL: The configured CAS server address for logging out. For example: http://demo.cubic.com:8088/cas/logout.

Use CAS SSO

When you start iManager again, the login page will display the “Use CAS Login” button as shown in the figure.

CASLOGIN

Click the “Use CAS Login” button to enter the CAS login page, enter a username and password to successfully login the iManager interface.