CAS authentication issues

[Ahmad Khayyat]

Hello everyone..

After a quick tour around the system, I found EnterMedia to be an interesting and capable system, and I'm really excited about deploying it in production.

We have a university environment, where we link most of our systems to a CAS single sign-on authentication system.

I followed the CAS authentication documentation here: https://entermediadb.org/knowledge/authentication/. I have the following observations and issues. I'd be grateful if I can get some explanation and resolutions:

1. What's the use of the "authenticationserver" and "authenticationdomain" properties in the "_site.xconf" file? If the user is specified in an HTTP header, how are these two properties used?
   I was hoping that they would be used to get the user's details from the "authenticationserver" over LDAP, but that did not happen, AFAICT (e.g. no full name or email in the profile).
   
   
2. How can I confirm what's the logged in username and group? I'm not sure what permissions does my CAS-authenticated user have. I tried to get CAS-authenticated users to be assigned the "Users" role, by setting the "autologingroup" property in "_site.xconfig" to "Users", but that did not seem to change anything.
   
   
3. After logging in through CAS, I don't see the "Settings" menu item in the top right menu, which is good (assuming CAS-authenticated users belong to the Guest role). But if I click on "Assets" on the same menu (then "Assets" again from the dropdown menu), then "Settings" appears in the top-right menu, and I'm able to browse all settings without additional authentication (no permission issues are shown). I don't expect any CAS-authenticated user to be able to access these settings!
   
   
4. Once I login through CAS, and navigate to "Settings > Users", I can see two non-default users listed: (1) <my-CAS-username>, and (2) <my-CAS-username>@my.domain.com. However, clicking on either of them to see their details results in an empty "User" pane with the text "Select a user." In contrast, clicking on either of the default users ("admin" or "testuser") takes me to a login page (URL: assets/emshare/authentication/nopermissions.html). This presents a few issues:
1. Why are there two records for the same user (one with a domain, like an email address, and one without)?
2. Why can't I see any details for either of these CAS-authenticated users (I get a "Select a user" message instead)? In fact, if I go the users table under "data management", these users are not listed at all (only the default "admin" and "testuser" users are listed). Also, while logged in through CAS, I can't seem to be able to save my profile (first name, last name, and email). Click on Save does nothing!
3. Why do I get a login page at all if I configured CAS authentication. It's confusing for an already authenticated user (through CAS) to get a different login page (from the application). Usually, CAS-authenticated applications never present login screens of their own.
4. Where did EnterMedia pick my email from?!
   
   
5. Isn't it possible to retrieve CAS-authenticated user details (name and email) from an LDAP/AD directory?
   
   
6. This is not CAS-specific, but how do people usually handle the system's home page? I most probably wouldn't want users to see the homepage at all, especially with the text "Note: the default login is admin / admin" shown prominently at the top. How should this page be handled in a production deployment? And how do I get users to land to the emshare application directly?

Thank you for the comprehensive and functional product. Looking forward to resolving these issues and pushing it to production.

[Ahmad Khayyat]

Any comments on any of the listed points would be very much appreciated.

Are there any EnterMedia users who are using any external authentication through HTTP headers? We use CAS authentication by configuring Apache as a reverse proxy and enabling the mod_auth_cas module. As far as EnterMedia is concerned, if the REMOTE_USER header is set, then the user is authenticated. Once can simulate the setup using any other Apache basic authentication provider (e.g. file, ldap, see https://httpd.apache.org/docs/2.4/howto/auth.html).

So, anyone successfully using EnterMedia with authentication configured on a reverse proxy?