This documentation does not apply to Drupal 8 and higher. See the new documentation instead.

Before you begin, you will need access to a working CAS server.

phpCAS Installation

The CAS module is relient upon the third party library phpCAS which must also be installed and configured.

  1. (Recommended) Install the Libraries API. Then download phpCAS and extract so that sites/all/libraries/CAS/CAS.php exists. For example:
    $ cd sites/all/libraries
    $ curl http://downloads.jasig.org/cas-clients/php/current.tgz | tar -xz
    $ mv CAS-* CAS
    
  2. If Libraries API is not installed, you may extract phpCAS anywhere and configure the location in the CAS module settings (which you can navigate to by following the "Configuring CAS" instructions below).

Configuring CAS

Navigate to the CAS module configuration page at

  • Admin >> User management >> CAS Settings (Path is /admin/user/cas) (D6)
  • Admin >> Configuration >> People >> CAS settings (Path is /admin/config/people/cas) (D7)

Library (phpCAS)

If phpCAS has been successfully installed, the version number of phpCAS will be displayed. Otherwise information is provided to help you install and configure phpCAS.

CAS Server

Enter in the CAS server location. For example, if the CAS server is at https://www.example.com/cas, enter

  • Hostname or IP Address: www.example.com
  • Port: 443
  • URI: /cas

For extra security, you may also provide the PEM Certificate of the Certificate Authority which issued the certificate of the CAS server.

Login Form

These settings control how users may log into CAS using the user login form, either as displayed in a block or at user/login. Many installations will choose "Add link to login forms" or "Make CAS login default on login forms."

Additionally, the phrases used on the login forms may be customized for your particular brand.

User Accounts

Each CAS user must have a Drupal account before they can log in. By default, the administrator must create the account and then assign the CAS username to the account.

Selecting "Automatically create Drupal accounts" allows the administrator to skip pre-creating Drupal accounts and instead have Drupal accounts automatically be created when a CAS user first logs in.

By default, the Drupal account will be created with a bare minimum of information:

  • Name: CAS username
  • E-mail: empty
  • Roles: authenticated user
  • Password: A random string which is not displayed to the user

The e-mail address field may be populated if the e-mail addresses follow a predictable pattern based upon the CAS username — for example username@example.com.

Additional roles may also be assigned to all CAS users. These roles will be reassigned every time a CAS user logs in. Deselecting an option will not take away that role from any existing user.

The "Users cannot change email address" and "Users cannot change password" options control the user edit form when a user has logged in with CAS.

Redirection

The "Check with the CAS server to see if the user is already logged in?" option implements the Gateway feature of the CAS protocol. When a user visit the site, they will be redirected to the CAS Server with the parameter gateway=true. If the user is already authenticated with the CAS server, they will be automatically logged in. If not, they will be silently redirected back to the Drupal site without being prompted for their password. This check is performed only once for users with cookies enabled. Beware: there might be some negative interactions with this feature and various caching configurations.

The "Require CAS login for" options prompt for CAS authentication for anonymous users when visiting the specified pages. Users already authenticated with Drupal, even if they did not log in with CAS, will not be redirected to the CAS login server.

For example, when configuring CAS with OpenScholar, one could add site/register to the list of pages to require CAS login for.

Login/Logout Destinations

You may configure a special page for users to be redirected to the first time they log in to the CAS site. For example, you may wish to write an introductory page which all users should be required to see once. Or as above you may wish for users to be redirected to site/register in an OpenScholar installation.

A logout destination may be provided if you want your users to be directed to a certain page when they log out of CAS. This is not the CAS server's URL, but rather a page on your site you would like the users to be directed to by the CAS server.

Users are redirected to the "Change password URL," if provided, when they visit user/password ("Request a new password").

Users are redirected to the "Registration URL," if provided, when they visit user/register ("Create a new account").

Login/Logout URLs

The CAS project provides two different URLs for the purposes of logging a user in or out.

/cas will redirect the user to the CAS server. If a login exists, the CAS server will send the user back to the Drupal site with a ticket and log the user in. If no login exists, the user is able to login on the CAS server. If the login is accepted, the user will be directed back to the Drupal site and logged in.

/caslogout will log the user out of Drupal and the CAS server.

Miscellaneous & Experimental Settings

If you are having trouble authenticating with the CAS server or are experiencing errant redirection behavior, you may specify a debugging file which logs the interaction between phpCAS and the CAS server. This should be used for development only, and not on a production server.

Features

Can I integrate CAS or LDAP attributes with the CAS module?
Yes, please see the CAS Attributes module.

Can I limit the list of allowed CAS users?
Yes, see restricting allowed users.

Can I restrict access to some content to only users logged in via CAS?
Yes. Create a user role "CAS User" and configure CAS to automatically assign that role to users who log in with CAS. Then get a content access control module to restrict access to that content only to users with the "Cas User" role. [Caveat: if your users can log in via either drupal username/password or CAS, this does not ensure that they were authenticated with CAS.]

Can I redirect users to the SSL version of the site when they log in?
Yes, there are many ways to to this, including using Secure Pages, Secure Login, or a custom solution.

Comments

johnish’s picture

Hi I'm looking for documentation on the Create new account functionality, /admin/people/cas/create

I want to know how it works, the process of what it does. Does it try to create an account on the CAS server? Does the CAS server have to allow this or is this allowed by default?

I'm told that when this form, /admin/people/cas/create, is used to create new account that it just creates a Drupal user and does not create a CAS user account, so I am trying to learn about CAS and how the Drupal module functions.

Thanks,
John

*Edit*: Found all my answers here, http://drupal.org/node/1261232

xandermar’s picture