documentation:2.1:authcas

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:authcas [2019/04/10 22:22] (current)
Line 1: Line 1:
 +====== CAS======
 +
 +^Authentication ^ Users ^ Password ^
 +|  ✔  | | |
 +
 +===== Presentation =====
 +
 +LL::NG can delegate authentication to a CAS server. This requires [[http://sourcesup.cru.fr/projects/perlcas/|Perl CAS module]].
 +
 +<note tip>LL::NG can also act as [[idpcas|CAS server]], that allows one to interconnect two LL::NG systems.</note>
 +
 +LL::NG can also request proxy tickets for its protected services. Proxy tickets will be collected at authentication phase and stored in user session under the form:
 +
 +''_casPT''**serviceID** = **Proxy ticket value**
 +
 +They can then be forwarded to applications trough [[writingrulesand_headers#headers|HTTP headers]].
 +
 +<note tip>CAS authentication will automatically add a [[logoutforward|logout forward rule]] on CAS server logout URL in order to close CAS session on LL::NG logout.</note>
 +
 +===== Configuration =====
 +
 +In Manager, go in ''General Parameters'' > ''Authentication modules'' and choose CAS for authentication.
 +
 +<note tip>You can then choose any other module for users and password.</note>
 +
 +<note important>
 +Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome does).
 +Administrators may have to modify formAction value with wildcard likes *.
 +
 +In Manager, go in : 
 +
 +''General Parameters'' > ''Advanced Parameters'' > ''Security'' > ''Content Security Policy'' > ''Form destination''
 +</note>
 +
 +Then, go in ''CAS parameters'':
 +  * **Authentication level**: authentication level for this module.
 +
 +Then create the list of CAS servers in the manager. For each, set:
 +  * **Server URL** //(required)//: CAS server URL (must use %%https://%%)
 +  * **Renew authentication** //(default: disabled)//: force authentication renewal on CAS server
 +  * **Gateways authentication** //(default: disabled)//: force transparent authentication on CAS server
 +  * **Display Name**: Name to display. Required if you have more than 1 CAS server declared
 +  * **Icon**: Path to CAS Server icon. Used only if you have more than 1 CAS server declared
 +  * **Order**: Number to sort CAS Servers display
 +  * **Proxied services**: list of services for which a proxy ticket is requested:
 +    * **Key**: Service ID
 +    * **Value** Service URL (CAS service identifier)
 +
 +<note tip>If no proxied services defined, CAS authentication will not activate the CAS proxy mode with this CAS server.</note>