I guess, i really should add some documentation of the module on the projects github wiki. I'll get started on that this weekend..
Are you familiar with the CAS protocol as such?
Unfortunately not - I was able to successfully install the cas server module however running into some errors (probably due to my configuration) which if it's OK I can post up tomorrow?
// module_casserver.php
$config = [
'legal_service_urls' => ['http://localhost'],
'service_ticket_expire_time' => 60,
//Other config options
]
<?xml version="1.0"?>
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>user...@cirrusidentity.com</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
Doing such a test will help you know if the issue is in how you configured casserver module or if the issues is on the CAS client side.
LoadModule auth_cas_module /usr/lib64/httpd/modules/mod_auth_cas.so
CASCookiePath /var/cache/httpd/mod_auth_cas/
CASLoginURL 'https://simplesaml.anz.???.co/simplesaml/module.php/casserver/login.php'
CASValidateURL 'https://simplesaml.anz.???.co/simplesaml/module.php/casserver/serviceValidate.php'
<Location /arp>
Authtype CAS
require valid-user
</Location>
On the SimpleSAML server for module_casserver.conf it is:
$config = array(
'authsource' => 'test-sql',
'scopes' => array(),
'legal_service_urls' => array(
'https://ufastqlik.anz.???.co/arp',
),
'legal_target_service_urls' => array(),
'ticketstore' => array(
'class' => 'casserver:FileSystemTicketStore',
'directory' => 'ticketcache',
),
'attrname' => 'uid',
'attributes' => true,
'attributes_to_transfer' => array('uid', 'displayName', 'roles'),
'base64attributes' => false,
'base64_attributes_indicator_attribute' => '',
'enable_logout' => false,
'skip_logout_page' => false,
'service_ticket_expire_time' => 60,
'proxy_granting_ticket_expire_time' => 3600,
'proxy_ticket_expire_time' => 60,
);
So at this point I'm able to navigate to https://ufastqlik.anz.???.co/arp and it redirects to SimpleSAML to log in. This works successfully now that I've fixed some MySQL issues however when returning back it uses an URL like https://ufastqlik.anz.???.co/arp?ticket=ST-6e9bdc599c2310579e370bf22283e7d57caa2de2cd which gives "Unauthorized - This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."
Using your suggestion of curl with longer timeouts it looks like the CAS ticket is OK on the server:
<?xml version="1.0"?>
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>pm@edu</cas:user>
<cas:attributes>
<cas:uid>pm@edu</cas:uid>
<cas:displayName>pm</cas:displayName>
<cas:roles>
</cas:roles>
<cas:>false</cas:>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>P
---
Log wise paraphrasing:
UFASTQlik: "GET /arp/ HTTP/1.1" 302 317"
SimpleSAML: "GET /simplesaml/module.php/casserver/login.php?service=https%3a%2f%2fufastqlik.anz.uniforum.co%2farp%2f HTTP/1.1" 302 711"
Log: DEBUG [8d9826c2d6] Session: Valid session found with 'ufast-sql'.
UFASTQlik: "GET /arp?ticket=ST-6e9bdc599c2310579e370bf22283e7d57caa2de2cb HTTP/1.1" 401 381"
So looks like it's able to return ticket info and authenticate, however my CAS client never validates the ticket properly.
Thanks,
Philip