Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:idpcas [2017/11/20 14:47]
xguimard Spelling errors
documentation:latest:idpcas [2019/04/30 20:20] (current)
Line 3: Line 3:
 ===== Presentation ===== ===== Presentation =====
  
-LL::NG can act as an CAS server, that can allow one to federate LL::NG with: +LL::NG can be used as CAS server. It can allow one to federate LL::NG with: 
-  * Another ​LL::NG system configured with [[authcas|CAS authentication]]+  * Another [[authcas|CAS authentication]] ​LL::NG provider
   * Any CAS consumer   * Any CAS consumer
  
Line 10: Line 10:
  
 ===== Configuration ===== ===== Configuration =====
 +
 +==== Enabling CAS ====
  
 In the Manager, go in ''​General Parameters''​ » ''​Issuer modules''​ » ''​CAS''​ and configure: In the Manager, go in ''​General Parameters''​ » ''​Issuer modules''​ » ''​CAS''​ and configure:
   * **Activation**:​ set to ''​On''​.   * **Activation**:​ set to ''​On''​.
-  * **Path**: keep ''​^/​cas/'' ​unless you have change [[configlocation#​portal|Apache portal configuration]] file. +  * **Path**: ​it is recommended to keep the default value (''​^/​cas/''​) 
-  * **Use rule**: a rule to allow user to use this module, set to 1 to always allow.+  * **Use rule**: a rule to allow user to use this module, set to ''​1'' ​to always allow.
  
 <note tip> <note tip>
Line 23: Line 25:
 </​note>​ </​note>​
  
-<note important>​ +==== Configuring the CAS Service ====
-Rewrite rules must have been activated in [[configlocation#​portal|Apache portal configuration]] or in [[configlocation#​portal1|Nginx portal configuration]]. +
-</​note>​+
  
-Then go in ''​Options''​ to define: +Then go in ''​CAS Service''​ to define: 
-  * **CAS login**: the session key used to fill user login (value will be transmitted to CAS clients). +  * **CAS login**: the session key transmitted to CAS client as the main identifier (CAS Principal). This setting can be overriden per-application
-  * **CAS attributes**:​ list of attributes that will be transmitted in validate response. Keys are the name of attribute in the CAS response, values are the name of session key.+  * **CAS attributes**:​ list of attributes that will be transmitted ​by default ​in the validate response. Keys are the name of attribute in the CAS response, values are the name of session key. 
   * **Access control policy**: define if access control should be done on CAS service. Three options:   * **Access control policy**: define if access control should be done on CAS service. Three options:
-    * **none**: no access control, the server ​will answer without checking if the user is authorized for the service (this is the default)+    * **none**: no access control. The CAS service ​will accept non-declared CAS applications and ignore access control rules. This is the default.
     * **error**: if user has no access, an error is shown on the portal, the user is not redirected to CAS service     * **error**: if user has no access, an error is shown on the portal, the user is not redirected to CAS service
     * **faketicket**:​ if the user has no access, a fake ticket is built, and the user is redirected to CAS service. Then CAS service has to show a correct error when service ticket validation will fail.     * **faketicket**:​ if the user has no access, a fake ticket is built, and the user is redirected to CAS service. Then CAS service has to show a correct error when service ticket validation will fail.
Line 37: Line 37:
  
 <note tip>If ''​CAS login''​ is not set, it uses ''​General Parameters''​ » ''​Logs''​ » ''​REMOTE_USER''​ data, which is set to ''​uid''​ by default</​note>​ <note tip>If ''​CAS login''​ is not set, it uses ''​General Parameters''​ » ''​Logs''​ » ''​REMOTE_USER''​ data, which is set to ''​uid''​ by default</​note>​
 +
 +==== Configuring CAS Applications ====
 +
 +If an access control policy other than ''​none''​ is specified, applications that want to authenticate users through the CAS protocol have to be declared before LemonLDAP::​NG accepts to issue service tickets for them. 
 +
 +Go to ''​CAS Applications''​ and then ''​Add CAS Application''​. Give a technical name (no spaces, no special characters),​ like "​app-example"​.
 +
 +You can then access the configuration of this application. ​
 +
 +=== Options ===
 +
 +  * **Service URL** : the service (user-facing) URL of the CAS-enabled application.
 +  * **User attribute** : session field that will be used as main identifier.
 +  * **Rule** : The access control rule to enforce on this application. If left blank, access will be allowed for everyone.
 +
 +<note important>​If the access control policy is set to ''​none'',​ this rule will be ignored</​note>​
 +
 +=== Exported Attributes ===
 +
 +You may add a list of attributes that will be transmitted in the validate response. Keys are the name of attribute in the CAS response, values are the name of session key.
 +
 +The attributes defined here will completely replace any attributes you may have declared in the global ''​CAS Service''​ configuration. In order to re-use the global configuration,​ simply set this section to an empty list.
 +