Numerous client implementations for CAS have been developed. Developers and deployers should download client code from the CAS Clients Overview section of the CAS project support website.
Two important things to keep in mind while setting up your application for CAS:
- The current CAS Protocol is the 3.0 version. This is distinct from the CAS Server implementation version (currently at 6.1.x) which implements the CAS 1.0, 2.0, and 3.0 protocols.
- The recommended CAS protocol is version 2.0 or greater, with 3.0 preferred where supported for the greatest feature set.
CAS can also do SAML authentication. We strongly recommend using CAS authentication. If SAML authentication is required, please contact Michigan Tech IT (email it-help@mtu.edu or call us at 7-1111).
For a CAS client, we recommend mod_auth_cas. Below are steps on getting started with mod_auth_cas. As for other CAS Clients, we do not directly support them and can only offer limited help in configuring.
mod_auth_cas Client Configuration
mod_auth_cas is an Apache module. It can enforce user authentication for one or many VirtualHosts.
- Begin by installing mod_auth_cas. For RHEL, the package is available in EPEL.
- Next, set the following global parameters in the file
/etc/httpd/conf.d/auth_cas.conf:
CASLoginURL https://sso.mtu.edu/cas/login
CASValidateURL https://sso.mtu.edu/cas/serviceValidate
My web app/server is behind a proxy or load balancer
Set CASRootProxiedAs "https://servicename.mtu.edu"
mod_auth_cas attempts to build the service URL from the VirtualHost. This will override the automatic generation of service URLs and construct them using this prefix. If your web app/server has multiple server names, this can be configured per VirtualHost.
Example
If the site being protected is http://example.com/ and the Apache instance of this server is http://internal.example.com:8080, setting CASRootProxiedAs to http://example.com would result in proper service parameter generation.
I need attributes from CAS
In your auth_cas.conf file:
- Add a line "CASValidateSAML on"
- Add a line "CASAttributePrefix CAS-"
- Change "CASValidateURL https://sso.mtu.edu/cas/serviceValidate" to "CASValidateURL https://sso.mtu.edu/cas/samlValidate"
mod_auth_cas does CAS protocol 2, which does not support the passing of user attributes. This will then use SAML 1.1, which supports user attributes when validating a user session against endpoint /cas/samlValidate.
The option CASValidateSAML on can be configured in global configs, a VirtualHost, or in a .htaccess file.
I only want certain users to access my application
First, see above to configure mod_auth_cas to get attributes. Next, the authorization rules can be configured in .htaccess or in a Directory or Location directive.
To enable mod_auth_cas, the following option is required:
Authtype CAS
Some example rules
- Allow any Michigan Tech user.
Require valid-user
- Only allow the user with the id blizzard.
require cas-attribute uid:blizzard
- Only allow the user with the email address.
require cas-attribute mail:blizzard@mtu.edu- Only allow users in the ldap group SomeGroup.
require cas-attribute memberOf:cn=SomeGroup,ou=Groups,dc=mtu,dc=edu
- Only allow users in the ldap group Group With Space.
require cas-attribute "memberOf:cn=Group With Space,ou=Groups,dc=mtu,dc=edu"
I need attributes in PHP/CGI
Set CASAuthNHeader On
By default, mod_auth_cas will only supply REMOTE_USER with the UID. This will configure mod_auth_cas to set all of the attributes as headers in the php/cgi request.
This option must be configured in .htaccess or in a directory or location directive.
In php, the incoming headers look like this:
$headers = getallheaders();
print_r($headers);
(
[Host] => example.com
[On] => blizzard
[CAS-uid] => blizzard
[CAS-mail] => blizzard@mtu.edu
[CAS-cn] => Blizzard T. Husky
)
echo $headers["CAS-cn"] . "<br/>";
Blizzard T. Husky