Pentaho Single Sign On (SSO) using CAS (story)

I wrote in previous post that passing username and password via parameter in Pentaho to show report viewer is a bad thing. Why? It's obvious that technique is not secure because anybody can read clearly username and password and can use it to get any information from your Pentaho BI Server. So, how if I want to integrate Pentaho to my application but I don't want to do double login: one login for my application and another login for Pentaho? We can use a technique called Single Sign On so that ANY application can be accessed only from one time login. I'm using this technique for developing +MaxLogistix: a low cost cloud warehouse management system.

I have read these 2 articles as my reference:

1. http://tecnologia.2020mobile.es/single-sign-on-sso-on-pentaho-community-edition-using-cas/
2. http://blog.datamensional.com/2011/07/pentaho-sso-setup-using-cas-and-ldap/

Those articles are good and very informative but... I found that these articles are not complete enough because there is some lost informations in one of them that given in another. So that I followed instructions in those articles and tried by myself which part is working and which part is not. The result is finally I can login to Pentaho using CAS.

So... is the problem solved? Sadly... not yet! There is one problem has not been solved by those articles. The problem is I can login to Pentaho using CAS and when I logged out from Pentaho, CAS status is also logged out, but.... Pentaho status still logged in eventhough I logged out from CAS. So the new problem I encountered is also SSO, not Single Sign ON but Single Sign OUT!

Well then I spent about a month trying to figure out what's wrong with my configuration. I read Pentaho forum, wiki, and any articles that explains about SSO. Even I was trying to replace spring-security library with the new one, but it didn't work because new spring-security library needs new version of spring library. And when I was trying to replace spring library in Pentaho with the new one, I just knew that I must refactor and recompile ALL Pentaho module with that new library. For me it's very frustating and I almost gave up.

And suddenly I found the solution in these 2 articles provided by wiki.jasig.org itself (jasig.org is an organization that manage CAS development)

1. https://wiki.jasig.org/display/CASC/Using+the+CAS+Client+3.1+with+Spring+Security
2. https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out

The conclusion I got from those articles is... CAS Single Sign Out Filter must be in the first order to make Single Sign Out work perfectly. I will share a tutorial how to use CAS to implement SSO in Pentaho.