Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:latest:idpcas [2019/01/24 17:07]
127.0.0.1 external edit
documentation:latest:idpcas [2019/04/30 20:20]
Line 1: Line 1:
-AS server ====== 
- 
-===== Presentation ===== 
- 
-LL::NG can be used as a CAS server. It can allow one to federate LL::NG with: 
-  * Another [[authcas|CAS authentication]] LL::NG provider 
-  * Any CAS consumer 
- 
-LL::NG is compatible with the [[https://​jasig.github.io/​cas/​development/​protocol/​CAS-Protocol-Specification.html|CAS protocol]] versions 1.0, 2.0 and part of 3.0 (attributes exchange). 
- 
-===== Configuration ===== 
- 
-==== Enabling CAS ==== 
- 
-In the Manager, go in ''​General Parameters''​ » ''​Issuer modules''​ » ''​CAS''​ and configure: 
-  * **Activation**:​ set to ''​On''​. 
-  * **Path**: it is recommended to keep the default value (''​^/​cas/''​) 
- 
-==== Configuring the CAS Service ==== 
- 
-Then go in ''​CAS Service''​ to define: 
-  * **CAS login**: the session key transmitted to CAS client as the main identifier (CAS Principal) 
-  * **CAS attributes**:​ list of attributes that will be transmitted by default in the validate response. Keys are the name of attribute in the CAS response, values are the name of session key.  
-  * **Access control policy**: define if access control should be done on CAS service. Three options: 
-    * **none**: no access control. The CAS service will accept non-declared CAS applications and ignore access control rules. This is the default. 
-    * **error**: if user has no access, an error is shown on the portal, the user is not redirected to CAS service 
-    * **faketicket**:​ if the user has no access, a fake ticket is built, and the user is redirected to CAS service. Then CAS service has to show a correct error when service ticket validation will fail. 
-  * **CAS session module name and options**: choose a specific module if you do not want to mix CAS sessions and normal sessions (see [[samlservice#​saml_sessions_module_name_and_options|why]]). 
- 
-<note tip>If ''​CAS login''​ is not set, it uses ''​General Parameters''​ » ''​Logs''​ » ''​REMOTE_USER''​ data, which is set to ''​uid''​ by default</​note>​ 
- 
-==== Configuring CAS Applications ==== 
- 
-If an access control policy other than ''​none''​ is specified, applications that want to authenticate users through the CAS protocol have to be declared before LemonLDAP::​NG accepts to issue service tickets for them.  
- 
-Go to ''​CAS Applications''​ and then ''​Add CAS Application''​. Give a technical name (no spaces, no special characters),​ like "​app-example"​. 
- 
-You can then access the configuration of this application. ​ 
- 
-=== Options === 
- 
-  * **Service URL** : the service (user-facing) URL of the CAS-enabled application. 
-  * **Rule** : The access control rule to enforce on this application. If left blank, access will be allowed for everyone. 
- 
-<note important>​If the access control policy is set to ''​none'',​ this rule will be ignored</​note>​ 
- 
-=== Exported Attributes === 
- 
-You may add a list of attributes that will be transmitted in the validate response. Keys are the name of attribute in the CAS response, values are the name of session key. 
- 
-The attributes defined here will completely replace any attributes you may have declared in the global ''​CAS Service''​ configuration. In order to re-use the global configuration,​ simply set this section to an empty list.