<abbrtitle="LemonLDAP::NG">LL::NG</abbr> can be used as a <abbrtitle="Central Authentication Service">CAS</abbr> server. It can allow one to federate <abbrtitle="LemonLDAP::NG">LL::NG</abbr> with:
<liclass="level1"><divclass="li"> Another <ahref="authcas.html"class="wikilink1"title="documentation:2.0:authcas">CAS authentication</a><abbrtitle="LemonLDAP::NG">LL::NG</abbr> provider</div>
<liclass="level1"><divclass="li"> Any <abbrtitle="Central Authentication Service">CAS</abbr> consumer</div>
</li>
</ul>
<p>
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> is compatible with the <ahref="https://jasig.github.io/cas/development/protocol/CAS-Protocol-Specification.html"class="urlextern"title="https://jasig.github.io/cas/development/protocol/CAS-Protocol-Specification.html"rel="nofollow">CAS protocol</a> versions 1.0, 2.0 and part of 3.0 (attributes exchange).
In the Manager, go in <code>General Parameters</code> » <code>Issuer modules</code> » <code><abbrtitle="Central Authentication Service">CAS</abbr></code> and configure:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>Activation</strong>: set to <code>On</code>.</div>
<liclass="level1"><divclass="li"><strong><abbrtitle="Central Authentication Service">CAS</abbr> login</strong>: the session key transmitted to <abbrtitle="Central Authentication Service">CAS</abbr> client as the main identifier (<abbrtitle="Central Authentication Service">CAS</abbr> Principal). This setting can be overriden per-application.</div>
<liclass="level1"><divclass="li"><strong><abbrtitle="Central Authentication Service">CAS</abbr> attributes</strong>: list of attributes that will be transmitted by default in the validate response. Keys are the name of attribute in the <abbrtitle="Central Authentication Service">CAS</abbr> response, values are the name of session key. </div>
<liclass="level1"><divclass="li"><strong>Access control policy</strong>: define if access control should be done on <abbrtitle="Central Authentication Service">CAS</abbr> service. Three options:</div>
<liclass="level2"><divclass="li"><strong>none</strong>: no access control. The <abbrtitle="Central Authentication Service">CAS</abbr> service will accept non-declared <abbrtitle="Central Authentication Service">CAS</abbr> applications and ignore access control rules. This is the default.</div>
<liclass="level2"><divclass="li"><strong>error</strong>: if user has no access, an error is shown on the portal, the user is not redirected to <abbrtitle="Central Authentication Service">CAS</abbr> service</div>
</li>
<liclass="level2"><divclass="li"><strong>faketicket</strong>: if the user has no access, a fake ticket is built, and the user is redirected to <abbrtitle="Central Authentication Service">CAS</abbr> service. Then <abbrtitle="Central Authentication Service">CAS</abbr> service has to show a correct error when service ticket validation will fail.</div>
<liclass="level1"><divclass="li"><strong><abbrtitle="Central Authentication Service">CAS</abbr> session module name and options</strong>: choose a specific module if you do not want to mix <abbrtitle="Central Authentication Service">CAS</abbr> sessions and normal sessions (see <ahref="samlservice.html#saml_sessions_module_name_and_options"class="wikilink1"title="documentation:2.0:samlservice">why</a>).</div>
<divclass="notetip">If <code><abbrtitle="Central Authentication Service">CAS</abbr> login</code> is not set, it uses <code>General Parameters</code> » <code>Logs</code> » <code>REMOTE_USER</code> data, which is set to <code>uid</code> by default
If an access control policy other than <code>none</code> is specified, applications that want to authenticate users through the <abbrtitle="Central Authentication Service">CAS</abbr> protocol have to be declared before LemonLDAP::NG accepts to issue service tickets for them.
Go to <code><abbrtitle="Central Authentication Service">CAS</abbr> Applications</code> and then <code>Add <abbrtitle="Central Authentication Service">CAS</abbr> Application</code>. Give a technical name (no spaces, no special characters), like "app-example".
You may add a list of attributes that will be transmitted in the validate response. Keys are the name of attribute in the <abbrtitle="Central Authentication Service">CAS</abbr> response, values are the name of session key.
</p>
<p>
The attributes defined here will completely replace any attributes you may have declared in the global <code><abbrtitle="Central Authentication Service">CAS</abbr> Service</code> configuration. In order to re-use the global configuration, simply set this section to an empty list.
<liclass="level1"><divclass="li"><strong>Service <abbrtitle="Uniform Resource Locator">URL</abbr></strong> : the service (user-facing) <abbrtitle="Uniform Resource Locator">URL</abbr> of the <abbrtitle="Central Authentication Service">CAS</abbr>-enabled application.</div>
<liclass="level1"><divclass="li"><strong>Rule</strong> : The access control rule to enforce on this application. If left blank, access will be allowed for everyone.</div>
</li>
</ul>
<divclass="noteimportant">If the access control policy is set to <code>none</code>, this rule will be ignored