Documentation forWeb Help Desk
Thinking of upgrading to the cloud? Learn more about migrating from Web Help Desk to Service Desk.

Deploy SSO with CAS 2.0

The Central Authentication Service (CAS) is a single sign-on (SSO) protocol that enables a user to access multiple applications using one set of credentials. This protocol works in conjunction with the CAS server, which handles all the user connections to your Microsoft Exchange and LDAP servers.

Configuration differs based on the version of WHD you are using:

See the following sections:

Deploy CAS in WHD 2026.1 and earlier

Step 1: Deploy CAS Server on Apache Tomcat

Before you deploy single sign-on with CAS 2.0 in your Web Help Desk deployment, configure the CAS module for LDAP and Active Directory communications.

Download 7-Zip

The 7-Zip utility is a free open source file archiving utility you can use to complete this procedure.

  1. Navigate to the 7-zip website located at:

    https://www.7-zip.org

  2. Download and install the 7-Zip archive utility on your system.

Download the CAS Server file

  1. Navigate to the Apereo website located at:

    https://github.com/apereo/cas/releases?after=v3.5.2

  2. Click v3.5.1.

  3. Scroll down and click cas-server-3.5.1-release.zip to download the ZIP file.

  4. Extract the contents of the ZIP file to a local directory.

  5. Open the cas-server-3.5.1 directory and click modules.

  6. Copy the cas-server-webapp-3.5.1.war file to your local directory.

Edit the WAR file

  1. Download the deployerConfigContext.txt file from the SolarWinds Documentation website and save the file to your local directory.

  2. Open the file in a text editor such as Notepad, and copy the content to your clipboard.

  3. Right-click the cas-server-webapp-3.5.1.war file and select 7-Zip > Open Archive.

  4. Double-click the WEB-INF directory.

    The directory opens.

  5. In the archive, right-click the deployerConfigContext.xml file and select Edit.

  6. Paste the content in the archive file, overwriting the existing content.

  7. In the updated deployerConfigContext.xml file, update the file variables for your deployment.

    1. Locate the following parameter. If you are using an SSL connection, use ladps:// in the path.

      <property name="url" value="ldap://127.0.0.1:389" />

    2. Replace the value variable with the IP address of your LDAP server.

    3. Locate the following parameter:

      <property name="userDn" value="ldap_admin@yourdomain.com" />

    4. Replace the value variable with the email address of your LDAP administrator.

    5. Locate the following parameter:

      <property name="password" value="ldap_admin_password" />

    6. Replace the value variable with your LDAP admin password.

    7. Locate the following parameter:

      p:filter="sAMAccountName=%u" p:searchBase="DC=yourdomain,DC=com"

    8. Ensure that the LDAP p:filter search filter matches your LDAP configuration settings.

    9. Replace the p:searchBase variable with your domain settings.

    10. Save and close the file.

  8. Download the cas.properties.txt file from the SolarWinds Documentation website and save the file to your local directory.

  9. Open the cas.properties.txt file in Notepad and copy the content to your clipboard.

  10. In 7-zip, right-click cas.properties and select Edit.

  11. Paste the content to the cas.properties.xml file in 7-Zip, overwriting the existing content.

  12. In the updated cas.properties.xml file, update the file variables for your deployment.

    1. At the top of the file, locate the following parameter:

      server.name=http://localhost:8080

    2. Replace the server.name variable with the Web Help Desk server address. For example:

      http://whd.example.com

    3. Under # Unique CAS node name, locate the following parameter:

      host.name=cas01.yourdomain.com

    4. Replace yourdomain.com with your domain name.

      The host.name parameter is used to generate unique service ticket IDs and SAML artifacts. This is usually set to the specific hostname of the machine running the CAS node. However, it could be any label as long as it is unique in the cluster.

    5. Save and close the file.

      Leave the 7-Zip archive open.

Download and apply the dependencies

  1. Navigate to the following links and download the corresponding dependency files in JAR format to your local directory.

    Dependency file Download URL
    cas-server-support-ldap-3.5.2.jar

    https://mvnrepository.com/artifact/org.jasig.cas/cas-server-support-ldap/3.5.2
    commons-pool-1.6.jar

    https://mvnrepository.com/artifact/commons-pool/commons-pool/1.6
    ldaptive-1.0.5.jar

    https://mvnrepository.com/artifact/org.ldaptive/ldaptive/1.0.5

    spring-ldap-1.3.1.RELEASE-all.jar

    This file must be unzipped.

    http://www.java2s.com/Code/JarDownload/spring-ldap/spring-ldap-1.3.1.RELEASE-all.jar.zip

  2. Drag all downloaded dependencies to the archive directory.

  3. All new and modified files are displayed in the 7-Zip archive directory.

  4. Extract the files to a separate directory.

  5. Select all files.

  6. Right-click and select 7-Zip > Add to archive.

  7. In the Archive name field, enter cas.war and save the archive.

    The archive is displayed in the directory.

  8. Close 7-Zip.

Deploy CAS server on Apache Tomcat

  1. Stop the Web Help Desk service.

  2. Copy the cas.war file to the /bin/webapps directory in your Apache Tomcat deployment.

  3. Start the Web Help Desk service.

  4. Verify that the HTTPS port is enabled on Apache Tomcat.

Complete your CAS server deployment

Configure a Group Policy Object (GPO) to push the appropriate Windows login credentials to your Internet Explorer settings. This process enables authenticated users to access the Web Help Desk server without having to log in. GPOs define the settings for your Windows server configuration, and Group Policies apply these settings.

See Configure a GPO to push Internet Explorer settings for more information.

Step 2: Enable SSL on Web Help Desk

  1. On your Web Help Desk system, open File Explorer and navigate to:

    <WebHelpDesk>/conf

  2. In the conf directory, open the whd.conf file in Notepad.

  3. In the file, comment out the following entry:

    HTTPS_PORT=443

  4. Save and close the file.

  5. Use Porteclé to create a new certificate.

    See Generating a New Certificate in Porteclé for more information.

  6. Insert the certificate to the following location:

    /conf/keystore.jks

  7. Restart Web Help Desk.

Step 3: Deploy CAS 2.0 on the Web Help Desk server

  1. On your Web Help Desk system, click Setup > General > Authentication.

  2. Click the Authentication Method drop-down menu and select CAS 2.0.

  3. In the CAS login URL field, enter:

    https://fqdn:port/cas/login

  4. In the CAS validate URL field, enter:

    https://fqdn:port/cas/serviceValidate

  5. Under Verification certificate, click Upload and select a certificate that uses CAS for signing the responses.

    Select keystore.jks to upload the Web Help Desk Tomcat certificate.

  6. In the Logout URL field, enter:

    https://fqdn:port/cas/logout

  7. Click Save.

    You can now log in using CAS 2.0.

Step 4: Configure a GPO to push the Internet Explorer settings

Configure a Group Policy Object (GPO) to push the appropriate Windows login credentials to your Internet Explorer settings. This process allows authenticated users to access the Web Help Desk server without having to log in. GPOs define the settings for your Windows server configuration, and Group Policies apply these settings.

  1. Log in to the Web Help Desk domain using the Domain Administrator account.

  2. Click Start and select Run.

  3. In the Run field, enter the following command and then click OK:

    mmc

    The Microsoft Management Console opens.

  4. In the File menu, click Add/Remove Snap-In > Add.

  5. In Available snap-ins, double-click Group Policy Management Editor and then click OK.

  6. In Select Group Policy Object, click Browse.

  7. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.

  8. Click Finish, and then click OK.

  9. In the Default Domain [yourdomain.com] Policy console tree, expand the following path:

    User Configuration, Policies, Windows Settings, Internet Explorer Maintenance, Connection

  10. Double-click Automatic Browser Configuration.

  11. Clear the Automatically Detect Configuration Settings check box, and then click OK.

  12. In the Default Domain [yourdomain.com] Policy console tree, go to:

    User Configuration > Policies > Windows Settings, Internet Explorer Maintenance, Security Zones and Content Ratings

  13. Click Import the current security zones and privacy settings.

  14. When prompted, click Continue and then click Modify Settings.

  15. In the Internet Properties dialog box, click the Security tab.

  16. Click Local Intranet, and then click Sites.

  17. In the Add this website to the zone field, enter:

    *.yourdomain.com

  18. Click Add.

  19. Select the following checkbox: 

    Require server verification (https) for all sites in this zone.

  20. Click Close.

  21. Click OK.

Upgrade to WHD with CAS already configured (2026.2 and later)

If you are upgrading to the modern interface (WHD 2026.2 and later) with CAS 2.0 authentication already configured in your WHD database, your existing CAS settings are migrated automatically during the upgrade. You must update the CAS server configuration due to changed callback URLs.

What is migrated automatically

The database migration runs automatically when the modern interface is opened for the first time against your existing database. In the migration process, the following settings are preserved:

  • CAS login URL (CAS_LOGIN_URL)
  • CAS validate URL (CAS_VALIDATE_URL)
  • Verification certificate (CAS_VERIFICATION_CERT)
  • Authentication method (EXTERNAL_AUTH_PARAM_TYPE = 5)
  • Logout URL

Update your CAS server

After upgrading, you must update the CAS server's service registry to allow the new WHD callback URL.

Setting Classic interface value Modern interface value
Service URL (Callback) https://<mydomain.com>/helpdesk/WebObjects/Helpdesk.woa https://<mydomain.com>/api/v1/auth/cas/callback
Logout URL https://<mydomain.com>/helpdesk/WebObjects/Helpdesk.woa https://<mydomain.com> or CAS server's logout endpoint

Update the CAS service registry

  1. Locate your CAS server's service registry configuration.

    • JSON service registry: Edit the service JSON files in /etc/cas/services/.
    • Database service registry: Update the RegexRegisteredService table.
    • YAML service registry: Edit the YAML files in the services directory.

  2. Update the registered service URL pattern to match the new WHD callback.

    JSON example (/etc/cas/services/WHD-NextGen-10000001.json):

       {
     "@class": "org.apereo.cas.services.CasRegisteredService",
     "serviceId": "^https://<mydomain.com>/api/v1/auth/cas/callback.*",
     "name": "Web Help Desk NextGen",
     "id": 10000001,
     "evaluationOrder": 1
   }

  3. If using a wildcard pattern, ensure it covers the new URL path: https://<mydomain.com>/.

  4. Restart the CAS server or reload the service registry for changes to take effect.

CAS server deployed in WHD Tomcat

The WHD modern interface no longer uses Apache Tomcat. If your CAS server was deployed as a WAR file inside the classic interface, take the following steps:

  1. Deploy the CAS server separately: Install a standalone CAS server (Apereo CAS 6.x or 7.x recommended) on the same or a different server.

  2. Migrate your configuration: Transfer your deployerConfigContext.xml, cas.properties, and LDAP settings to the new CAS deployment.

  3. Update your WHD configuration: Update the CAS login URL and CAS validate URL in WHD to point to the new CAS server location.

Post-migration verification

After upgrading to the modern interface and updating the CAS service registry, verify the following:

  • WHD is running and accessible over HTTPS.

  • The CAS server registry has been updated with the new callback URL.

  • In an incognito/private browser, navigate to WHD. You should be redirected to the CAS login page.

  • After authenticating, you are redirected to WHD, where you are logged in.

  • Existing tech and client accounts can log in via CAS.

  • The verification certificate (if uploaded) is showing correctly in the WHD authentication settings.

Deploy CAS in WHD 2026.2 and later

Before configuring WHD

Before configuring CAS 2.0 in WHD, ensure that you meet the prerequisites:

  • You must have a running CAS 2.0-compatible server (Apereo CAS 5.x, 6.x, or 7.x). The CAS server must be configured with an identity repository, such as LDAP, Active Directory, or database.

  • Both the WHD and CAS servers should be accessible over HTTPS. Caddy handles TLS termination for WHD automatically.

  • The WHD server must be able to reach the CAS server's /serviceValidate endpoint (server-to-server), and users' browsers must be able to reach both the WHD and CAS servers.

  • You must have administrator or tech access to WHD in order to configure authentication settings.

  • Optional, but recommended: If the CAS server uses a self-signed or internal CA certificate, upload the certificate to WHD for ticket validation.

Step 1: Gather your CAS server information

To configure WHD, collect the following information from your CAS server deployment:

Field Description Example
CAS login URL The CAS server's login endpoint https://cas.<mydomain.com>/cas/login
CAS validate URL The CAS server's ticket validation endpoint https://cas.<mydomain.com>/cas/serviceValidate
CAS logout URL (optional) The CAS server's logout endpoint https://cas.<mydomain.com>/cas/logout
CAS server SSL certificate Certificate used by the CAS server, if self-signed or internal CA .cer, .pem, or.crt file

Common CAS URL patterns

CAS server version Login URL Validate URL Logout URL
Apereo CAS 5.x/6.x/7.x https://<cas-host>/cas/login https://<cas-host>/cas/serviceValidate https://<cas-host>/cas/logout
Legacy CAS 3.x https://<cas-host>/cas/login https://<cas-host>/cas/serviceValidate https://<cas-host>/cas/logout
Custom context https://<cas-host>/<context>/login https://<cas-host>/<context>/serviceValidate https://<cas-host>/<context>/logout

Step 2: Configure CAS 2.0 in the WHD modern interface (2026.2 and later)

  1. Log in to WHD as an administrator/tech.e

  2. Navigate to Setup > General > Authentication. From the Authentication method dropdown, select CAS 2.0. The CAS configuration panel displays the following fields:

    Field Description Example
    CAS login URL The CAS server's login page URL. Unauthenticated users will be redirected here. https://cas.<mydomain.com>/cas/login
    CAS validate URL The CAS server's ticket validation endpoint. WHD sends the service ticket here for server-side validation. https://cas.<mydomain.com>/cas/serviceValidate
    Verification certificate Upload the CAS server's SSL certificate if it uses a self-signed or internal CA certificate. Upload .cer, .pem, or .crt file

  3. Input the appropriate information in each field.

    • In the CAS login URL field, enter the CAS server login endpoint: https://cas.<mydomain.com>/cas/login.

    • In the CAS validate URL field, enter the CAS server's ticket validation endpoint: https://cas.<mydomain.com>/cas/serviceValidate.

    • Optional: Upload the verification certificate.

      • If your CAS server uses a self-signed certificate or a certificate from an internal CA, click Upload certificate.

      • Select the CAS server's SSL certificate file in .cer, .pem, or .crt format.

    • Optional: Configure the Logout URL to redirect users to the CAS logout page when they log out of WHD, using https://cas.<mydomain.com>/cas/logout.

  4. Save your configuration.

Step 3: Register WHD as a service in your CAS server

For the CAS server to recognize WHD as an authorized service, register the WHD callback URL in your CAS server's service registry.

The service (callback) URL that the CAS server must allow is https://<mydomain.com>/api/v1/auth/cas/callback.

Configuration by CAS server type

  • Apereo CAS (JSON service registry)

    Create or update a service definition file in /etc/cas/services/:

    WHDNextGen-10000001.json
{
  "@class": "org.apereo.cas.services.CasRegisteredService",
  "serviceId": "^https://<mydomain.com>/api/v1/auth/cas/callback.*",
  "name": "Web Help Desk NextGen",
  "id": 10000001,
  "description": "Web Help Desk NextGen Service Provider",
  "evaluationOrder": 1,
  "attributeReleasePolicy": {
    "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }
}
    Use ReturnAllAttributeReleasePolicy to release user attributes to WHD for user auto-creation.

  • Apereo CAS (YAML service registry)

    Create or update a service definition file:

    WHDNextGen-10000001.yml

    !<CasRegisteredService>
serviceId: "^https://<mydomain.com>/api/v1/auth/cas/callback.*"
name: "Web Help Desk NextGen"
id: 10000001
description: "Web Help Desk NextGen Service Provider"
evaluationOrder: 1
attributeReleasePolicy: !<ReturnAllAttributeReleasePolicy> {}

  • Apereo CAS (Database/JPA service registry)

    Insert or update the service record:

    INSERT INTO RegexRegisteredService (expression, name, enabled, ssoEnabled, evaluationOrder, id)
VALUES ('^https://<mydomain.com>/api/v1/auth/cas/callback.*',
        'Web Help Desk NextGen', 1, 1, 1, 10000001);

  • Legacy CAS 3.x (In-memory)

    If using the default in-memory service registry, update deployerConfigContext.xml:

    <bean class="org.jasig.cas.services.RegexRegisteredService"
      p:id="10000001"
      p:name="Web Help Desk NextGen"
      p:serviceId="^https://<mydomain.com>/api/v1/auth/cas/callback.*"
      p:enabled="true"
      p:ssoEnabled="true"
      p:evaluationOrder="1" />

LDAP configuration on CAS server

If your CAS server authenticates against LDAP/Active Directory, ensure the following settings are configured on the CAS server:

Setting Description Example
LDAP URL LDAP server address ldap://dc.<mydomain.com>:389 or ldaps://dc.<mydomain.com>:636
Base DN LDAP search base DC=<mydomain>,DC=com
Bind DN LDAP service account cn=admin,DC=<mydomain>,DC=com
User filter How users are matched sAMAccountName=%u or uid=%u
LDAP configuration is on the CAS server, not in WHD. WHD only needs the CAS login URL and Validate URL.

Step 4: Test the configuration

  1. Open a new browser window or an incognito/private session. Navigate to your WHD URL at https://<mydomain.com>. You should be automatically redirected to the CAS server login page.

  2. Enter your LDAP/AD credentials on the CAS login page. After successful authentication, the CAS server redirects back to WHD with a service ticket. WHD validates the ticket and logs you in automatically.

If you need to bypass CAS and log in directly with WHD credentials, use https://<mydomain.com>/login?username=<username>&password=<password>.

Optional configuration

Environment variables

The following environment variables can be set in conf/application.properties or via the conf/whd.env file:

Variable

 Description Default
CAS_APP_BASE_URL Base URL of the WHD backend, used to build the CAS service callback URL http://localhost:8080
SAML_FRONTEND_BASE_URL Base URL of the frontend for SSO callback redirect http://localhost:3000

 

Example production configuration:

properties
# CAS SSO Configuration
cas.application.base-url=https://helpdesk.<mydomain.com>
saml.application.frontend-base-url=https://helpdesk.<mydomain.com>

# CAS redirect paths (defaults are usually fine)
# cas.redirect.success-path=/login
# cas.redirect.failure-path=/login?error=cas

Logout URL

When using CAS, logging out of WHD will end the WHD session. To enable CAS single logout (SLO), configure the Logout URL in the Authentication settings to point to the CAS server's logout endpoint: https://cas.<mydomain.com>/cas/logout. When a user logs out of WHD, they are redirected to the CAS logout page, which can optionally sign them out of all CAS-connected applications.

User auto-creation

WHD automatically creates user accounts when a user authenticates via CAS for the first time. The CAS-authenticated username (from the service ticket validation response) is used as the login identifier. If your CAS server releases additional attributes, WHD uses them to populate the user profile.

CAS attribute WHD field
email or mail Email
givenName or firstName First Name
sn or lastName Last Name
displayName Display Name

LDAP sync on login

If LDAP/AD directory sync is configured in WHD alongside CAS, WHD performs a background attribute synchronization for the user on each CAS login, keeping user profile data up to date with the directory.

SSL certificate trust

WHD uses a composite trust manager for CAS server communication. An uploaded verification certificate, if provided, is trusted first. System CA certificates are always trusted. If your CAS server uses a self-signed or internal CA certificate, upload it to WHD.