Middlebury

CAS

Revision as of 12:11, 30 April 2009 by Adam Franco (talk | contribs)

About

Middlebury College uses the Central Authentication Service (CAS)[1] developed by Yale and maintained by Jasig for single-sign-on to our suite of web-based applications.

Supported Applications

Applications currently using CAS

Applications currently being converted to CAS

CASifying applications

In this section you will find instructions for adding CAS support to your web applications.

  • CAS is a service for providing authentication, answering the question: Who is this person?
  • CAS does not provide authorization. It does not answer the question: What can this person do?

Valid assumptions

Applications are free to make the following assumptions in relation to CAS.

  • User identifiers are unique - The identifier returned to an application from CAS will always uniquely identify a user.
  • User identifiers are un-changing - Changes in a user's status or name will not change their identifier.
  • The MemberOf (group membership attribute) is authoritative - Applications may use the MemberOf attribute to determine roles and authorizations. The values of this attribute are institutionally defined.

Invalid assumptions

Applications should not make the following assumptions in relation to CAS.

  • Authentication implying authorization - Authentication (and the receipt of a user id) does not imply that a user has any official status in relation to Middlebury College. Anyone can register for a visitor account (coming soon) that they can use to log in. Group-membership (MemberOf attribute) or a list of authorized ids should be checked to determine authorization within an application.
  • The user identifier implying meaning - Applications should treat the user identifier as an opaque integer with up to 10 digits. No meaning should be inferred by the value of the identifier.
  • Additional attributes exist and have been verified - The MemberOf attribute can be trusted to be authoritative. All other attributes -- such as FirstName, LastName, Email, etc -- may or may not exist and may contain values self-submitted by visitors.

Useful Groups

Every application has its own needs for access and the roles that should be given for various users. Some applications are completely open to public usage, others authorize access to anyone officially associated with the institution, and still others restrict authorization to very limited groups of users. Applications should use the MemberOf attribute to determine membership in groups. Some groups will contain just users that are officially associated with the institution, others will contain just visitors, and still others will contain a mixture of both visitors and institutionally-associated users.

For reference, here are some groups that applications may find useful for common cases:

  • CN=All Staff,OU=General,OU=Groups,DC=middlebury,DC=edu
  • CN=All Faculty,OU=General,OU=Groups,DC=middlebury,DC=edu
  • CN=students,OU=Students_By_Year,OU=Groups,DC=middlebury,DC=edu
  • CN=All LS People,OU=LS Lists,OU=Groups,DC=middlebury,DC=edu
  • CN=All LS Faculty,OU=LS Lists,OU=Groups,DC=middlebury,DC=edu
  • CN=MIIS Faculty,OU=Groups,DC=middlebury,DC=edu
  • CN=MIIS Staff,OU=Groups,DC=middlebury,DC=edu

PHP

The best way to enable your PHP application to authenticate against CAS is to use the phpCAS library and the methods contained therein. The official phpCAS library will authenticate successfully against our CAS server, however it does not support access to the attributes that we include in our CAS responses. It is recommended that you download our own version of the phpCAS library that includes attribute support.

Additional documentation about the phpCAS library is available on the CAS wiki.

Step by Step

  1. Download our version of the phpCAS library and unzip it where it can be accessed by your application code.
  2. Include the phpCAS library in your code
    <?php require_once "/path/to/phpCAS/source/CAS.php"; ?>
  3. Optional - Enable debug-mode for testing purposes:
    <?php phpCAS::setDebug(); ?>
  4. Configure and initialize phpCAS:
    <?php phpCAS::client(CAS_VERSION_2_0,'login.middlebury.edu', 443,'/cas/'); ?>
  5. It is preferred to have you application validate the SSL certificate of the CAS server:
    documentation to come...
    However, if this is not possible, use the following line to skip CAS server certificate validation:
    <?php phpCAS::setNoCasServerValidation(); ?>
  6. Force authentication when a user tries to view the page:
    <?php phpCAS::forceAuthentication(); ?>
  7. Contact one of the CAS administrators (Adam Franco or Ian McBride) with the URL of your application so that they can add it to the list of allowed applications.

Example Usage

Below is an example PHP script that will authenticate against the CAS and print out the user id and attributes.

<?php

require_once "/path/to/phpCAS/source/CAS.php";

// set debug mode
phpCAS::setDebug();

// initialize phpCAS
phpCAS::client(CAS_VERSION_2_0,'login.middlebury.edu', 443,'/cas/');

// no SSL validation for the CAS server
phpCAS::setNoCasServerValidation();

// force CAS authentication
phpCAS::forceAuthentication();

// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().

// logout if desired
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}

// for this test, simply print that the authentication was successfull
?>
<html>
<head>
<title>Simple CAS client</title>
</head>
<body>
<h1>Testing CAS</h1>
<h2>Successfull Authentication!</h2>
<p>the user's id is <b><?php echo phpCAS::getUser(); ?></b>.</p>
<p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p>
<p><a href="?logout=">Logout</a></p>
<hr/>
<pre>
<?php print_r(phpCAS::getAttributes()); ?>
</pre>
</body>
</html>