I'm creating an alumni website for members of my school's graduating class. I'd like to have users login using CAS the first time they use the site; they would be using CAS to register on the site. After they have successfully logged in with CAS once, they would set a Drupal password and would login using Drupal's standard authentication.
Ideally, I would use the user_import module to pre-create the accounts of members of my class and place them in a privileged role (preventing students from other classes using the site). In this case, CAS would be logging users into an existing account, but required user profile fields would not already be set. Users would need to be forced to set these upon first login.
Any suggestions on how to accomplish this would be most welcome!
Thanks,
JD
Comments
Comment #1
metzlerd commentedThis could be difficult, as it's not really what CAS is designed for. You'll need to be pretty careful in your explanations with regard to what the user should do. IF you are precreating the users I'd explore first whether user_import can be configured to send the welcome message upon creating the account, cause then you could issue them a password and not bother with CAS, which is really intended to be a single sign-on module.
You should configure drupal to not be the CAS user repository and not require auth for any pages and also set to Hijack exisitng accounts.
Cas is not designed to enforce mandatory profile fields so I don't really know what you'll need to do there. You may need a custom module to pull this off. Some module that would check for the required profile fields and redirect the user to the user edit page if they aren't there (regardless of how they logged in). Like I said, this is outside of the realm of what CAS is supposed to do.
Anyway that's probably as close as you can get without code modifications.
Comment #2
jdleonardThanks for your response. I would send the pre-created users welcome emails, but the site needs to be opt-in. The pre-creation of users would be to ensure that only those users can register/login.
I'm not sure how much CAS takes over the authentication of users who have logged in through CAS. Can a given user log in via CAS or Drupal interchangeably if they've set a Drupal password? What if I require users to log in via CAS the first time, but then force them to change their Drupal password? Could they then log in via Drupal with that password?
As I'll only be using CAS during the registration process, I'll probably end up writing a custom module. If the quality of the module is satisfactory, I'll release it. If you'd like to include it in this project, that'd be welcome, but we'll see if I ever get that far.
Thanks for your help.
Comment #3
metzlerd commentedRight now the cas module randomizes the password of every user at login. That would be problematic for you I'm sure, but others have requested that this functionality be removed or configurable, and I'm planning on changing this behavior in an upcoming release of CAS.
Comment #4
jdleonardI think I may have actually been the cause of that randomized password (per an email to you on 2007-04-12)! Yes, probably should be configurable. Perhaps you can have it just set it on initial login? Thanks again.
Comment #5
jdleonardI've decided on a conceptually simpler way of solving this. I'm going to create a module that borrows code from the CAS and Invite modules because I don't see a good way of reusing the code of each module directly to accomplish my goals. This module will provide an alternate registration process:
Admins will have the ability to require that registration can only occur via invitation (via this alternate process or by a user with the proper permission sending someone an invitation).
Any comments/suggestions welcome!
Comment #6
jdleonardClosing this. Progress on this module can be tracked at CAS Register Invite module
Also see CAS Register Invite module #415730: Restrict registration to users authenticated via CAS.
Comment #7
jdleonardMy solution to this is posted at #415730: Restrict registration to users authenticated via CAS.
Comment #8
elliotcapelo commentedHi there!
There is no module located on http://drupal.org/project/cas_register_invite ? I need this module to track who is logging into our website (we only have a around 200-250 users) but we don't want the rest of the university also logging into our site.
Is this module now incorporated into cas? If so I can't see the settings any where can someone tell me how to enable them?
Or if there is another module that can do this.
Cheers,
Fiona
Comment #9
metzlerd commentedNear as I can tell the developer never really finished a release ready version. See the referenced issue for the last piece of info on this effort. If there's an easy programmatic way for you to determine which users should be allowed, developing a custom module to integrate with cas shouldn't be too difficult.
Comment #10
elliotcapelo commentedThanks Metzlerd. It would be really good if there was a way for us to create a list of users ID numbers that drupal checks before letting the user log in. We only have around 200 users so putting all our allowed users on this list isn't a problem.
How would I go about setting up a list of users for the cas service to reference in drupal?