114 lines
2.9 KiB
ReStructuredText
114 lines
2.9 KiB
ReStructuredText
CAS
|
|
===
|
|
|
|
============== ===== ========
|
|
Authentication Users Password
|
|
============== ===== ========
|
|
✔
|
|
============== ===== ========
|
|
|
|
Presentation
|
|
------------
|
|
|
|
LL::NG can delegate authentication to a CAS server. This requires `Perl
|
|
CAS module <http://sourcesup.cru.fr/projects/perlcas/>`__.
|
|
|
|
|
|
.. tip::
|
|
|
|
LL::NG can also act as :doc:`CAS server<idpcas>`, that allows
|
|
one to interconnect two LL::NG systems.
|
|
|
|
LL::NG can also request proxy tickets for its protected services. Proxy
|
|
tickets will be collected at authentication phase and stored in user
|
|
session under the form:
|
|
|
|
``_casPT<serviceID>`` = **Proxy ticket value**
|
|
|
|
They can then be forwarded to applications through
|
|
:ref:`HTTP headers<headers>`.
|
|
|
|
.. tip::
|
|
|
|
CAS authentication will automatically add a
|
|
:doc:`logout forward rule<logoutforward>` on CAS server logout URL in
|
|
order to close CAS session on LL::NG logout.
|
|
|
|
Configuration
|
|
-------------
|
|
|
|
In Manager, go in ``General Parameters`` > ``Authentication modules``
|
|
and choose CAS for authentication.
|
|
|
|
|
|
.. tip::
|
|
|
|
You can then choose any other module for users and
|
|
password.
|
|
|
|
|
|
.. attention::
|
|
|
|
Browser implementations of formAction directive are
|
|
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
|
|
does). Administrators may have to modify formAction value with wildcard
|
|
likes \*.
|
|
|
|
In Manager, go in :
|
|
|
|
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
|
|
``Content Security Policy`` > ``Form destination``
|
|
|
|
Then, go in ``CAS parameters``:
|
|
|
|
- **Authentication level**: authentication level for this module.
|
|
|
|
Then create the list of CAS servers in the manager.
|
|
|
|
Options
|
|
~~~~~~~
|
|
|
|
- **Server URL** *(required)*: CAS server URL (must use https://)
|
|
- **Renew authentication** *(default: disabled)*: force authentication
|
|
renewal on CAS server
|
|
- **Gateways authentication** *(default: disabled)*: force transparent
|
|
authentication on CAS server
|
|
|
|
Proxied services
|
|
~~~~~~~~~~~~~~~~
|
|
|
|
In this section, set the list of services for which a proxy ticket is
|
|
requested:
|
|
|
|
- **Key**: Service ID
|
|
- **Value** Service URL (CAS service identifier)
|
|
|
|
Display
|
|
~~~~~~~
|
|
- **Display Name**: Name to display. Required if you have more than 1
|
|
CAS server declared
|
|
- **Icon**: Path to CAS Server icon. Used only if you have more than 1
|
|
CAS server declared
|
|
- **Resolution Rule**: rule that will be applied to preselect a CAS server for
|
|
a user. You have access to all environment variable *(like user IP address)*
|
|
and all session keys.
|
|
|
|
For example, to preselect this server for users coming from 129.168.0.0/16
|
|
network
|
|
|
|
::
|
|
|
|
$ENV{REMOTE_ADDR} =~ /^192\.168/
|
|
|
|
To preselect this server when the ``MY_SRV`` :doc:`choice <authchoice>` is selected ::
|
|
|
|
$_choice eq "MY_SRV"
|
|
|
|
- **Order**: Number to sort CAS Servers display
|
|
|
|
|
|
.. tip::
|
|
|
|
If no proxied services defined, CAS authentication will not
|
|
activate the CAS proxy mode with this CAS server.
|