CAS Configuration

What you put in there is dependent your institiutions configuration. Most have a server at something like cas.yourdomain.edu. I want to be sure that cas (as it is now) requires that there is a java based cas server set up somewhere at your organization/institution. CAS only lets users authenticate against a pre-existing server, but doesn't provide drupal sign on services. (Although I'm working on a module to provide just that).

I'd advise the following basic configuration to begin with:

cas server: yourcasserver.yourschool.edu
cas port: 443
cas uri: cas
CAS PEM Certificate: Do not verify

Is drupal also the cas user repository: leave unchecked.
IF cas is not the user repository should cas hijack users with the same name?: Checked
Should drupal user accounts be automatically created? Checked
email domain (your email domain)
Users cannot change email address: Unchecked
Users cannot change password: Unchecked
Auto-assign users to the role(s): authenticated user

Leave all other settings blank or at defaults.

Hope this helps.

thanks for your valuable reply.

metzlerd: I wondered if you might be able to elaborate on what you mean by saying it "doesn't provide drupal sign on services". And what the module you are working on will do? I'm having to integrate my Drupal (5.x) site into our corporate CAS and LDAP servers but I'm having a hard time wrapping my head around the distinction between authentication and authorization. For example... I have it authenticating with the CAS module, but I need to be able to check all of the Drupal permissions based on the logged in CAS user against the groups they are assigned to in the LDAP server. I don't understand why CAS module creates Drupal users. Any direction or documentation pointers would be appreciated.

What I meant by the statement was that it doesn't act as a CAS Server. I'm working on a module (cas_server) that will let you set up a drupal instance and have it act as a cas server, so that you can hook up other products to your drupal sign-ons. Sounds like you don't need to be concerned about that.

With regard to your project. You can only set up drupal access control based on drupal roles. Drupal users get assigned to drupal roles and the modules check permissions as appropriate.

The LDAP Groups module would help make sure that your drupal roles are automatically set based on corresponding roles on your LDAP server. So you create the roles that you need in drupal and then you have peoples role memeberships automatically set when they log in (via cas). The CAS module has some code to make it play nice with the LDAP Groups module.

To recap the first time you log in, your drupal account gets created, but you're only in the authenticated users group. Immediately after your account gets created CAS invokes a function from the LDAP Groups module to set your drupal roles to match what roles you have in LDAP. Every time you log in subsequently, the LDAP Groups module is called and it revokes or adds drupal roles as appropriate.

All drupal nodes/comments/user profiles/etc are all stored with an internal numeric drupal user id (uid). So you can't get around creating user accounts for users that are in drupal. This is why the cas module has that feature. The first time a user "logs in" to a the drupal site. Their user is created automatically, and again the LDAP Groups module can be configured to make sure that the role gets assigned correctly.

Hope that helps.

Ah... I see. That makes a little more sense. Thanks a lot for responding and the clarification. Since the Drupal users have to be created, what is your recommendation for maintenance. Ideally, we would have our operators maintain users and just delete them from the LDAP server (via a corporate app we have). Would you recommend that we leave the Drupal users there or come up with some methodology for deleting them as well?

You could leave them there, but I think it would be best to eventually get them deleted, but that brings up a tricky problem. What do you do with all the content that that created (comments they made, etc.) Drupal bulk delete operations can be used to make this problem.

Although there's no 6.x release out yet, you might consider the incative_user module to manage users that appear to have expried.

Dave

Okay, where exactly should I place the cas server? I'm trying to test it out from localhost, I now have apache2 in my /etc folder. So I assumed I should put cas server in /etc -folder, but I couldn't because it said I don't have permission to put anything in there. Though I'm sudoing. Well I then tried placing cas server under one of my multisites like this: sites/site.com/cas-server-3.3.3, and typed into the CAS server field: site.com/cas-server-3.3.3. As a result I got this message:

CAS Authentication wanted!

You should already have been redirected to the CAS server. Click here to continue.

I'm also interested in Metzlerds cas_server module. I tried searching for it but it didn't appear by that name. How's it going with that project?

Thanks a lot guys!

CAS server needs to be deployed in a Tomcat instance. You'd need to learn more about J2EE servlets in order to make that happen.

There's a light version of the cas server module in the current dev releases. It's a module that's in the same project. It's not feature complete (doesn't support single sign out, etc, but it will work for trying out cas module). Remember that the cas server module should be enabled in a separate drupal instance than the cas client module.

New to Drupal, having problems with CAS module.

I've installed Drupal 6.13, our webserver is Apache 2.0 , running on a separate machine, and my institutional level people run a CAS server for the campus. I downloaded phpCAS 1.0.1 and put it where php5 can find it (I think). I installed the latest CAS module, and configured it under Drupal (Administer -> User Management -> CAS Settings) on my admin account. We run an LDAP service at my campus, but I don't think it provides anything more than people's names...

In the CAS User Account settings, I picked box 1, then tried again with box 2. No go. On my home page, I get the label and login hyperlink for my CAS login. Clicking on that hyperlink takes me to our institutional CAS page. So far, so good. I enter my desired user name and password, which exists on our campus network, but every time I come from Drupal I get the error web page:

CAS Authentication failed!
You were not authenticated.
---------------
phpCAS 1.0.1 using server https://cas.sfu.ca:443/cgi-bin/WebObjects/cas.woa/ (CAS 1.0)

and the url on the web page has my Drupal server followed by /cas?ticket={the cas ticket number}

I must be missing something in this setup, or some file is not in the right place, or ?? can anyone help?

Oh another thing: I wish to eventually pre-create all of the user accounts. I notice that when I manually create an account via Drupal that the password is a required field. But the whole point of CAS is that I, as system admin, shouldn't need my user's real institutional password. Do I just make something up, which is then ignored? I don't want to have users create their own Drupal accounts, because I have a lot of profile info from our existing user web profile pages to add to each user's Drupal profile which they wouldn't want to re-enter. It's also inconvenient to ask my users to try to log into my test system just to create an account. Suggestions?

First of all your CAS server is 3.3.2 not 1.0. You should use cas 2.0 settings in the cas settings page to connect with this version of cas. Make sure that is the case.

Yes if you precreate user accounts you'll need to just specify a dummy password to get by drupals requirement, but they aren't used when logging in via cas. You may want to set the cas account setting to hijack exisiting accounts when you do this.

Thanks for responding, metzlerd. Your suggestions made only a small difference though. in that I am now told that:

CAS Authentication failed!
You were not authenticated.
---------------
phpCAS 1.0.1 using server https://cas.sfu.ca:443/cgi-bin/WebObjects/cas.woa/ (CAS 2.0)

so it recognized the change to 2.0 you suggested, but the authorization still fails. Another developer at my institution tells me that he has CAS working with more or less the same CAS settings as I originally had (CAS 1.0 and no highjacking), which leads me to think that perhaps my phpCAS is not set up correctly? but it's in /usr/share/php/CAS-1.0.1, and /usr/share/php is in the include path according to phpinfo().

The message you're getting sounds like your cas library is installed properly. I get the exact same behavior when the CAS client gets a ticket invalid message from validating the ticket. The message that you're getting is from the phpCAS code, not from the drupal module, so we know that PHP is finding the cas library just fine.

So that means that for some reason, the cas server is rejecting the curl request to validate the ticket. The most likely cause is that the service url isn't the same as the one used to generate the ticket.

Can you report the url that is being shown when you get prompted for authentication? Are clean URL's enabled on your drupal site?

Clean URLs are enabled.

The URL on my CAS login page is:

https://cas.sfu.ca/cgi-bin/WebObjects/cas.woa/login?service=https%3A%2F%...

and the URL on the php error page is:

https://webdev.cs.sfu.ca/drupal6/cas?ticket=ST-10240-b60zBIJKaAGCLN4X2Es...

I'm no CAS expert, but this looks to me like our CAS server did pass back a valid ticket to phpCAS, meaning that this user was authenticated successfully by the CAS server, no?

Yes you got authed by the cas server, successfully. This error means that when the phpCAS library sent the ticket back to the cas server via a curl request (via a curl request), that the cas server indicated that the ticket wasn't valid. This can happen for a few reasons. Sometimes there's firewall rules that block (unproxied) access between the web server (running php) and the cas server via port 443, Sometimes it's because there's a problem matching the ticket to the originally generated request, but in your case the service url looks like it matches the drupal url that's doing the authentication. Some folks have hacked the cas server to require additional cookies or something in order to validate the request, but usually your developer would've indicated that.

I think you're going to need to turn on debugging for the cas library to trouble shoot this one. You may need to hack the drupal cas.module file to enable the debugging for the library.

Dave

Hi at all, I'm a new member of this site. I have a question about CAS module: I have a site developed in Drupal and a site in JSP: i need to do SSO between this two sites, can I use this module? Or cas module is used only to do SSO into a single site?
In my scenario a user can log-in in site A (jsp) and go with a link at site B (drupal) without re-entering his password, and viceversa from site B to site A. The login can be done with "normal" login (entering user and password) or using a i-card.
Another question: in my drupal site I have already added a module for i-card, can this create a problem for SSO with this module?
Thanks in advance for any help.
Ilaria

Yes, although the cas server portion of this module is still experimental, it can be used to have the drupal logins and jsp share a common auth mechanism. (JSP pages would need to support CAS protocol but there are java/jsp clients for this). CAS is a common protocol used in univerisities to achieve single sign on accross disparate application technologies.

CAS can coexist with most other drupal authentication modules, although I haven't tried anything with Icard.

Hi Dave,

Thank you very much for all of your help.

I've turned on the debugging for the phpCAS library. Are you familiar with its output? If not, no worries.

In the log file, there are 2 entries, 1 pre-cas server, and 1 after the cas server is contacted. The 1st one tests whether or not I'm logged in already (I'm not at this point), so it redirects control to our cas server.

The 2nd entry is also clear in that:

6380 .=> phpCAS::forceAuthentication() [cas.module:116]
6380 .| => CASClient::forceAuthentication() [CAS.php:911]
6380 .| | => CASClient::isAuthenticated() [client.php:686]
6380 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:791]
6380 .| | | | no user found [client.php:895]
6380 .| | | <= false
6380 .| | | PT `ST-6937-Qj1weieiuJ0bAak9aLfYuT1bRgOqQz4cfuH-L6DgS' is present [client.php:812]
6380 .| | | => CASClient::validatePT('', NULL, NULL) [client.php:813]
6380 .| | | | => CASClient::getURL() [client.php:396]
6380 .| | | | <= 'https://webdev.cs.sfu.ca/drupal6/cas'
6380 .| | | | => CASClient::readURL('https://cas.sfu.ca:443/cgi-bin/WebObjects/cas.woa/proxyValidate?service=https%3A%2F%2Fwebdev.cs.sfu.ca%2Fdrupal6%2Fcas&ticket=ST-6937-Qj1weieiuJ0bAak9aLfYuT1bRgOqQz4cfuH-L6DgS', '', NULL, NULL, NULL) [client.php:2081]
6380 .| | | | <= true

The cas server is called (though through a proxy?) but the CASClient::validatePT('', NULL, NULL) call doesn't seem to have the PT, right? even though CASClient::readURL() seems to have it. This is the source of the error, correct?

Would you have any additional pointers?

Brian

ok so, now I have to change cas modul with cas server module, it's correct? And configure JSP site with cas instruction (I have seen a JSP client example).. or I need to ADD cas server module at drupal installation? This works fine although I have two separate database, one for drupal and another for jsp? I have not understood the interaction between jsp/drupal site, jsp/drupal database and cas server: is there a "central cas db" that performs an interaction between the other two databases? How can I configure cas server module?

thanks a lot
Ilaria

You use either the cas client module or the cas server module on a drupal site, but not both. The cas server module lets you use drupals usernames and passwords as a cas authentication source. So that if you're logged into the drupal site you can then you could go to your jsp site and be redirected to your drupals site for authentication. If your logged into drupal you're already logged into the jsp site.

At our college we use a J2EE cas server that allows us to authenticate with active directory, so we use the cas client module to connect up with a cas server that lies at a different url. When you want to log into the drupal site you get redirected to the J2EE based cas server for logins. And only if that login is succesfsul are you logged into the durpal site.

The cas server module does not currently require any configuration. Enable the module and you can then point other cas enabled web sites at yourdrupalsite/cas and it will handle authentication.

Does that make sense

How does the cas module work with the primary account? My primary account, which I used to install Drupal and set it up, doesn't have an equivalent account on our campus cas server. The cas module readme instructions were to remove the drupal sign in block after cas is up and running, and leave just the cas sign in block, but this wouldn't work for my administrator account, right? Should I set up a separate theme for the administrative user that doesn't have the cas sign in block, but does have the drupal one, while other users see a theme with only the cas sign in block? I don't want to confuse my users by showing them two different sign in blocks.

Depending on how you set up your redirect settings. If you don't require login for the user/login page, then you can navigate there directly without leaving the block up. Yoursite/userl/login. This lets you use both styles of accouts.

I usually create an admin role so that I don't have to use the admin account except on special occasions.

Dave

Hi Dave,

It turns out that our institution has made some local modifications to CAS in order to support .htaccess files in Apache that we have been using before CAS arrived. I just didn't know this :-( The XML document that our CAS server returns when phpCAS attempts a validation of the service ticket contains extra information that apparently phpCAS cannot deal with. Our CAS expert says that he has seen this in a number of applications but is at a loss as to why applications can't parse the returned XML document, as he feels it is a fairly standard XML format.

Fortunately, our institution offers another CAS URL which does not pass back this extra information, and that URL worked!

Thanks for all your help :) Brian

I'm trying out the cas server module, but apparently I don't understand something. So I have done a multisite install of Drupal, and the cas server module is enabled on "site1.com". Then cas client module is enabled on "site2.com". I tried configuring the client with:

cas server: site1.com
uri: /cas

When I press "log in via cas", it says connection failed to site1.com

It tries to go to address
https://site1.com:443/cas/login?service=http%3A%2F%2Flocalhost%2Flinkki%...

I'm also getting some error messages on my Drupal client site

* warning: include_once(DB.php) [function.include-once]: failed to open stream: No such file or directory in /home/user/public_html/sites/all/modules/cas/phpcas-0.6.0-1/source/PGTStorage/pgt-db.php on line 11.
* warning: include_once() [function.include]: Failed opening 'DB.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/user/public_html/sites/all/modules/cas/phpcas-0.6.0-1/source/PGTStorage/pgt-db.php on line 11.

If I make an empty DB.php -file in that location, I will arrive to an empty site when pushing the "log in via cas" -button, and I get more error messages:

# warning: include_once() [function.include]: Failed opening 'DB.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/user/public_html/sites/all/modules/cas/phpcas-0.6.0-1/source/PGTStorage/pgt-db.php on line 11.
# warning: Cannot modify header information - headers already sent by (output started at /home/user/public_html/sites/all/modules/cas/phpcas-0.6.0-1/source/PGTStorage/DB.php:2) in /home/user/public_html/includes/common.inc on line 141.

Wow how very frustrating.... Glad you found it though..

regety,

Try renaming your phpcas-0.6.0-1 etc directory to simply CAS. the CAS module really expects to find the cas client in the CAS folder.

You might check permissions on your DB.php, since it doesn't really look like its finding it.

Dave

I renamed phpcas-0.6.0-1 directory to CAS. What did you mean by "etc"?
Client.php file is now in CAS/source so I wrote in cas.module line 9:

require_once ('CAS/source/CAS.php');

I also gave DB.php 777 permissions.

This didn't make any changes, I still get empty page when I push the cas login button.

If I log in with drupal's basic login, I arrive to an empty page (which had the text of DB.php when I put some text in there).
Then I have to erase from the end of url until a / sign, before I arrive to the place I'm supposed to.
The same thing also happens when I save the configuration for cas, and when I log out.

I get the following errors:

* warning: Cannot modify header information - headers already sent by (output started at /home/user/public_html/sites/all/modules/cas/CAS/source/PGTStorage/DB.php:2) in /home/user/public_html/includes/session.inc on line 97.
* warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent in /home/user/public_html/includes/session.inc on line 100.

regety.

As you know it should be CAS/cas.php. But that's not your problem. I would recomend that you do your cas install in that way so you can deal with upgrades.

The headers started by output is because you've got a non-empty file in DB.php. Normally when I create these files I just touch them, but you can make them with an editor if you want. It's important that it doesn't try and generate even a single space for display. That's what the "headers already sent by output started..." means. This is getting in the way phpCAS ability to do browser redirects. Make your DB.php file be just an empty file or the following without the php close tag:

<?php

Ok, thanks, I didn't know my DB.php file wasn't empty because it seemed to be. Deleting and recreating it helped, I'm now redirected as expected.

Now I'm still having trouble with getting to the cas login page. I'm testing this on localhost, it shouldn't be a problem? I have to go to my drupal sites this way: site.com/linkki. So then I'm writing to CAS server in configuration: cserver.com, and to CAS URI: /linkki/cas. I've also tried just "cas". What am I doing wrong here? When I push the cas login button, it tries to go:

https://cserver.com/linkki/cas/login?service=http%3A%2F%2Fcclient.com%2F...
which results to "cserver.com server not found".

I tried making it http://cserver.com/linkki/cas/login?service=http%3A%2F%2Fcclient.com%2Fl...
then it founds the server, but gives this error:

Not Found

The requested URL /linkki/cas/login was not found on this server.
Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch Server at cserver.com Port

:O

The CAS client is finicky about having SSL set up. So you need to make sure that your drupal (cas server) site is accessible via https://cserver.com/linkki before you can expect the client to work. The client only does ssl. Don't worry about navigating to the client until you can make sure of that.

Dave