CAS

Authentication

Users

Password

Presentation

LL::NG can delegate authentication to a CAS server. This requires Perl CAS module.

Tip

LL::NG can also act as CAS server, that allows one to interconnect two LL::NG systems.

LL::NG can also request proxy tickets for its protected services. Proxy tickets will be collected at authentication phase and stored in user session under the form:

_casPT<serviceID> = Proxy ticket value

They can then be forwarded to applications through HTTP headers.

Tip

CAS authentication will automatically add a logout forward rule on CAS server logout URL in order to close CAS session on LL::NG logout.

Configuration

In Manager, go in General Parameters > Authentication modules and choose CAS for authentication.

Tip

You can then choose any other module for users and password.

Then, go in CAS parameters:

  • Authentication level: Authentication level for this module

Attention

Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn’t block the redirects whereas Chrome does). Administrators may have to modify formAction value with wildcard likes *.

In Manager, go in :

General Parameters > Advanced Parameters > Security > Content Security Policy > Form destination

Then create CAS servers in the Manager.

Exported Attributes

The attributes defined here will completely replace any attributes you may have declared in the global CAS Service configuration. In order to re-use the global configuration, simply set this section to an empty list.

Proxied services

In this section, set the list of services for which a proxy ticket is requested:

  • Key: Service ID

  • Value: Service URL (CAS service identifier)

Options

  • Server URL (required): CAS server URL (must use https://)

  • Renew authentication (default: disabled): Force authentication renewal on CAS server

  • Gateways authentication (default: disabled): Force transparent authentication on CAS server

  • Comment: set a comment

Display

Used only if at least 2 CAS servers are declared

  • Name: Name of the CAS server

  • Logo: Logo of the CAS server

  • Tooltip: Information displayed on mouse over the button

  • Resolution rule: Rule that will be applied to preselect a CAS server for a user. You have access to all environment variables (like user IP address) and all session keys

For example, to preselect this server for users coming from 129.168.0.0/16 network

$env->{REMOTE_ADDR} =~ /^192\.168/

To preselect this server when the MY_SRV choice is selected

$_choice eq "MY_SRV"

  • Order: Used for sorting CAS server

Tip

If no proxied services are defined, CAS authentication will not activate the CAS proxy mode with this CAS server.

Manual IDP Selection

When using multiple CAS servers, LemonLDAP::NG will display an additional choice screen to let the user decide which server they want to use.

In addition to the resolution rule described above, you can also use the idp URL parameter to automatically select a CAS server for the user: https://auth.example.com/?idp=srv-example