CAS
===
============== ===== ========
Authentication Users Password
============== ===== ========
✔
============== ===== ========
Presentation
------------
LL::NG can delegate authentication to a CAS server. This requires `Perl
CAS module `__.
.. tip::
LL::NG can also act as :doc:`CAS server`, that allows
one to interconnect two LL::NG systems.
LL::NG can also request proxy tickets for its protected services. Proxy
tickets will be collected at authentication phase and stored in user
session under the form:
``_casPT`` = **Proxy ticket value**
They can then be forwarded to applications through
:ref:`HTTP headers`.
.. tip::
CAS authentication will automatically add a
:doc:`logout forward rule` on CAS server logout URL in
order to close CAS session on LL::NG logout.
Configuration
-------------
In Manager, go in ``General Parameters`` > ``Authentication modules``
and choose CAS for authentication.
.. tip::
You can then choose any other module for users and
password.
Then, go in ``CAS parameters``:
- **Authentication level**: Authentication level for this module
.. attention::
Browser implementations of formAction directive are inconsistent
(e.g. Firefox doesn't block the redirects whereas Chrome does).
Administrators may have to modify formAction value with wildcard
likes \*.
In Manager, go in :
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
``Content Security Policy`` > ``Form destination``
Then create CAS servers in the Manager.
Exported Attributes
~~~~~~~~~~~~~~~~~~~
The attributes defined here will completely replace any attributes you
may have declared in the global ``CAS Service`` configuration. In order
to re-use the global configuration, simply set this section to an empty
list.
Proxied services
~~~~~~~~~~~~~~~~
In this section, set the list of services for which a proxy ticket is
requested:
- **Key**: Service ID
- **Value**: Service URL (CAS service identifier)
Options
~~~~~~~
- **Server URL** *(required)*: CAS server URL (must use \https://)
- **Renew authentication** *(default: disabled)*: Force authentication
renewal on CAS server
- **Gateways authentication** *(default: disabled)*: Force transparent
authentication on CAS server
- **Comment**: set a comment
Display
~~~~~~~
Used only if at least 2 CAS servers are declared
- **Name**: Name of the CAS server
- **Logo**: Logo of the CAS server
- **Tooltip**: Information displayed on mouse over the button
- **Resolution rule**: Rule that will be applied to preselect a CAS server for
a user. You have access to all environment variables *(like user IP address)*
and all session keys
For example, to preselect this server for users coming from 129.168.0.0/16 network
::
$ENV{REMOTE_ADDR} =~ /^192\.168/
To preselect this server when the ``MY_SRV`` :doc:`choice ` is selected ::
$_choice eq "MY_SRV"
- **Order**: Used for sorting CAS server
.. tip::
If no proxied services are defined, CAS authentication will not
activate the CAS proxy mode with this CAS server.