Auth via Apereo CAS 5.3

#1

Description

Has anyone successfully configured their Rocket Chat instance to authenticate via an instance Apereo CAS 5.x? Via the CAS protocol, or the SAML protocol?

I’ve tried both. Configuring the CAS 2.0 options in RC allows me to authenticate just fine, but it doesn’t seem to be able to read the attributes our cas server sends. I can’t get the email or name fields filled out.

Specifically, on the RC CAS settings page, in the Attribute Handling section, I tried {"email":"%mail%"} in the Attribute Map field. mail is the name of the attribute CAS returns containing the users email. I’ve configured this in other applications.

We also have SAML configured on our cas server for other applications. So I thought I’d see if I could get things working via that protocol. Unfortunately my attempts at configuring RC to use it have failed.
Apereo’s docs allowed me to guess at what values to put in RC’s configuration.

On CAS, I named the service testrocketchat. so, for the Custom Entry Point field, https://casserver/cas/idp/profile/SAML2/Unsolicited/SSO?providerId='testrocketchat' seems closest to being the correct value. Unfortunately CAS keeps saying that the application is not authorized to use CAS. (It is, I have authenticated via CAS.)

If I left off the ?providerId='testrocketchat' part, CAS would display an error about providerId being missing.

I also tried ?providerId='https://testrocketchat.example.org', ?providerId='testrocketchat.example.org' and ?providerId=NN (where NN is what I think the CAS server’s internal id number for the Rocket Chat service.) All resulted in the ‘not authorized’ error.

Server Setup Information

  • Version of Rocket.Chat Server: 1.0.2
  • Operating System: Ubuntu 18.04
  • Deployment Method: docker
  • Number of Running Instances: 1
  • DB Replicaset Oplog: Enabled via docker-compose file. services.rocketchat_app.command: mongod --smallfiles --replSet rs01 --oplogSize 1024
  • NodeJS Version: Whatever is in docker.
  • MongoDB Version: Whatever is in docker.
  • Proxy: Apache 2.4
  • Firewalls involved: FirewallD configured to allow https on the CAS vm, and on the Rocket.Chat vm.

Any additional Information

  • Initial docker-compose config was pulled from rocket.chat/docs/installation/docker-containers/
  • Followed rocket.chat/docs/installation/manual-installation/mongo-replicas/ due to “OPLOG / REPLICASET IS REQUIRED” error message when starting the app.
  • Configured Apache following rocket.chat/docs/installation/manual-installation/configuring-ssl-reverse-proxy/
  • DNS for testrocketchat.example.org is not configured. I set it up in my laptops /etc/hosts file.
  • The test instance is on a vm that is not available from outside our internal network.