CAS Server documentation?

1272 views
Skip to first unread message

Keith

unread,
Mar 16, 2010, 9:16:59 AM3/16/10
to simpleSAMLphp, da...@lehigh.edu
I recently upgraded our simpleSAMLphp installation from 1.4 to 1.5.1.
All we have been using it for is to auth Google Apps to LDAP (so far).

I notice that there's now a CAS server module, but the only
documentation I can find about it is:

http://rnd.feide.no/content/simplesamlphp-cas-server-support

I have been unable to set up SAML idp/sp metadata to get the CAS
server to work. I'm currently trying on a fresh install of
simpleSAMLphp 1.5.1. All I have done to it is configured an entry in
authsources.php for our LDAP server, and confirmed that it works in
the admin web interface.

Can anyone point me at some more documentation? Or perhaps share some
conf?

As a proof of concept, I'd like to get the CAS server using
simpleSAMLphp's SAML (or shibboleth, I guess) to auth to LDAP. Is this
even possible?

~Keith

Francisco Estanqueiro

unread,
Mar 16, 2010, 9:24:08 AM3/16/10
to simple...@googlegroups.com, da...@lehigh.edu
Hi,

Read this:
http://simplesamlphp.googlecode.com/svn/trunk/modules/cas/docs/cas.txt

Its working fine for me.

Francisco

Keith

unread,
Mar 16, 2010, 9:39:08 AM3/16/10
to simpleSAMLphp
This seems to be documentation for using the CAS client, and also
fetching attributes from LDAP?

I'm not interested in authenticating to CAS, but rather using the CAS
server functionality of simpleSAMLphp (provided by the 'casserver'
module).

~Keith

On Mar 16, 9:24 am, Francisco Estanqueiro <fwestanque...@fc.ul.pt>
wrote:

Dubravko Voncina

unread,
Mar 16, 2010, 9:59:35 AM3/16/10
to simple...@googlegroups.com
Hi Keith,

As far as I know, there's no additional documentation except what is
written on

http://rnd.feide.no/content/simplesamlphp-cas-server-support

but maybe I can help. To implement CAS authentication server you have to
configure your simpleSAMLphp IdP both as IdP and SP. Did you do that?

Btw, if it's not secret, what is the URL of your testing simpleSAMLphp
IdP? It would help if I could have a look at your actual simpleSAMLphp
configuration.

Cheers,

Dubravko Voncina
Srce - University Computing Centre
University of Zagreb, Croatia

Keith

unread,
Mar 16, 2010, 2:06:12 PM3/16/10
to simpleSAMLphp
Dubravko,

Thanks for the prompt reply!

I have a clean slate to work with, right now.

In our production setup (which is on gapps.cc.lehigh.edu for what it's
worth), we're using the Google Apps config (
http://simplesamlphp.org/docs/1.5/simplesamlphp-googleapps#section_7_2
), and this saml20-idp-hosted.php:

--------------------------------------------------------
$metadata['__DYNAMIC:1__'] = array(
'host' => '__DEFAULT__',
'privatekey' => 'realcert.pem',
'certificate' => 'realcert.crt',

// 'auth' => 'lehigh-ldap',
'auth' => 'auth/login.php',
);
--------------------------------------------------------

As I understand it, using auth/login.php (which uses values from
config/ldap.php) is the "old way", and using lehigh-ldap (which is
defined in authsources.php) is the "new way".

We're currently using the old method, because we had modified
login.php to log the IP of our on-campus users for troubleshooting
purposes, but both methods work.

I see that the documentation refers to saml20-sp-hosted.php, but I do
not have this sample file. I tried using a generic one, basically
copied from shib13-sp-hosted.php, but was unable to get it to work. So
currently, it is not set up as a SAML SP.

Keith

unread,
Mar 16, 2010, 2:19:27 PM3/16/10
to simpleSAMLphp
Dubravko,

You can see my failed attempt at modifying the default-sp to use my
hosted SAML IDP here:

https://gapps.cc.lehigh.edu/simplesaml2/module.php/core/authenticate.php?as=default-sp

And the working lehigh-ldap IDP here:

https://gapps.cc.lehigh.edu/simplesaml2/module.php/core/authenticate.php?as=lehigh-ldap

At this point, though, there are so many "I wonder if this will help"
changes all over the place, that I'm writing off the "simplesaml2"
instance.

~Keith

On Mar 16, 9:59 am, Dubravko Voncina <dubravko.vonc...@srce.hr> wrote:

Dubravko Voncina

unread,
Mar 16, 2010, 10:57:05 PM3/16/10
to simple...@googlegroups.com
Hi Keith,

In latest stable version of simpleSAMLphp 'saml20-sp-hosted.php'
configuration file is no longer used. Unfortunatelly, casserver module
is written for older versions of simpleSAMLphp so it calls some
deprecated functions/methods which require saml20-sp-hosted.php file.
I have a testing environment in which I made a modified version of
casserver module that works with simplesamlphp 1.5.1 (without
saml20-sp-hosted.php file), but first you'll have to configure your
simpleSAMLphp IdP to work properly with this module.

If I'm guessing correctly, you installed simpleSAMLphp in folder
/opt/simplesamlphp/, so first you have to create file

/opt/simplesamlphp/metadata/saml20-idp-remote.php

with the following content:

<?php

$metadata['https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/metadata.php']
= array (
'SingleSignOnService' =>
'https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/SSOService.php',
'SingleLogoutService' =>
'https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/SingleLogoutService.php',
'certFingerprint' => '8b41b4d38f2d47d329d2c1cb0d868c46f1d1c78d',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);
?>


After that, you'll have to edit the
/opt/simplesamlphp/metadata/saml20-sp-remote.php file and add the
following code:

$metadata['https://gapps.cc.lehigh.edu/simplesaml/module.php/saml/sp/metadata.php/default-sp']
= array (
'AssertionConsumerService' =>
'https://gapps.cc.lehigh.edu/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' =>
'https://gapps.cc.lehigh.edu/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
);


Finally, in /opt/simplesamlphp/config/authsources.php file find the
'default-sp' block and modify it so it looks like this:

'default-sp' => array(
'saml:SP',
'entityID' => NULL,
'idp' =>
'https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/metadata.php',
'discoURL' => NULL,
),


Now, when you point your web browser to

https://gapps.cc.lehigh.edu/simplesaml/module.php/core/authenticate.php

and click on 'default-sp', you should be redirected to your LDAP login
service (same as if you clicked on 'lehigh-ldap'). Try to authenticate
and see what happens. If you manage to authenticate successfully, this
means that your simpleSAMLphp is properly configured for implementation
of a casserver module.
When you make sure that you configured your simpleSAMLphp properly,
please send me a mail and I will send you an archive with a casserver
module that works with simpleSAMLphp 1.5.1. Meanwhile, I'll write a
short instructions on how to deploy and configure this module in
simpleSAMLphp 1.5.1.

Dubravko Voncina

unread,
Mar 23, 2010, 7:16:48 AM3/23/10
to Keith, simple...@googlegroups.com
Hi Keith,

I apologize for the delay, Apache server on my testing machine started
to act a bit weird so I had to deal with that first :-(
I have attached an archive with modified casserver module to this
message. To make things work you have to do the following:

1.) Unpack the casserver.tar.gz archive into your
/opt/simplesamlphp/modules/ folder.

2.) After unpacking the archive, copy the
/opt/simplesamlphp/modules/casserver/config-templates/module_casserver.php
file into the folder /opt/simplesamlphp/config/

3.) Modify 'legal_service_urls' parameter in the
/opt/simplesamlphp/config/module_casserver.php file so it allows
connections from your CAS client (add the URL or IP address of your CAS
client). If necessary, modify also 'attrname' and 'attributes' parameters.

4.) In the /opt/simplesamlphp/ folder create the folder named
'ticketcache' and make sure that Apache has a read-write permissions on
it. This is the folder in which casserver module stores tickets for the
authenticated users.

5.) In the /opt/simplesamlphp/www/ folder create a .htaccess file with
the following content

RewriteEngine On
RewriteRule ^module.php/casserver/login$
../module.php/casserver/login.php [L]
RewriteRule ^module.php/casserver/serviceValidate$
../module.php/casserver/serviceValidate.php [L]
RewriteRule ^module.php/casserver/validate$
../module.php/casserver/validate.php [L]

and make sure Apache is configured to allow execution of .htaccess
files. If everything goes well, after following these steps you should
have a working CAS server.
To authenticate users through your new CAS server, in your CAS client
you should set the following parameters:

CAS_HOST: 'gapps.cc.lehigh.edu'
CAS_PORT: 443
CAS_PATH: '/simplesaml/module.php/casserver'

Cheers,

Dubravko Voncina
Srce - University Computing Centre
University of Zagreb, Croatia


Keith wrote:
> Dubravko,
>
> Thank you so much! It's amazing how well things work when you
> configure them correctly.
>
> Using your instructions, it looks like the default-sp is working
> correctly, authing to LDAP via SAML.
>
> Is the new/beta CAS server module posted anywhere? I'd be happy to be
> a tester.
>
> ~Keith
>
> On Mar 16, 10:57 pm, Dubravko Voncina <dubravko.vonc...@srce.hr>
> wrote:
>
>> Hi Keith,
>>


>> In latest stable version of simpleSAMLphp 'saml20-sp-hosted.php'
>> configuration file is no longer used. Unfortunatelly, casserver module
>> is written for older versions of simpleSAMLphp so it calls some
>> deprecated functions/methods which require saml20-sp-hosted.php file.
>> I have a testing environment in which I made a modified version of
>> casserver module that works with simplesamlphp 1.5.1 (without
>> saml20-sp-hosted.php file), but first you'll have to configure your
>> simpleSAMLphp IdP to work properly with this module.
>>
>> If I'm guessing correctly, you installed simpleSAMLphp in folder
>> /opt/simplesamlphp/, so first you have to create file
>>
>> /opt/simplesamlphp/metadata/saml20-idp-remote.php
>>
>> with the following content:
>>
>> <?php
>>
>> $metadata['https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/metadata.php']
>> = array (
>> 'SingleSignOnService' =>
>> 'https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/SSOService.php',
>> 'SingleLogoutService' =>

>> 'https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/SingleLogoutService....,


>> 'certFingerprint' => '8b41b4d38f2d47d329d2c1cb0d868c46f1d1c78d',
>> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
>> );
>> ?>
>>
>> After that, you'll have to edit the
>> /opt/simplesamlphp/metadata/saml20-sp-remote.php file and add the
>> following code:
>>

>> $metadata['https://gapps.cc.lehigh.edu/simplesaml/module.php/saml/sp/metadata.ph...]


>> = array (
>> 'AssertionConsumerService' =>

>> 'https://gapps.cc.lehigh.edu/simplesaml/module.php/saml/sp/saml2-acs.p...,
>> 'SingleLogoutService' =>
>> 'https://gapps.cc.lehigh.edu/simplesaml/module.php/saml/sp/saml2-logou...,

casserver.tar.gz

Keith

unread,
Mar 23, 2010, 4:50:34 PM3/23/10
to simpleSAMLphp
Dubravko,

No worries. I'm not in a rush. Thanks for getting back to me. I've
followed all of your steps below, and it's almost working. I'm seeing
tickets created in the ticketcache directory.

But my testing isn't working. I'm using the php CAS module from jasig:

http://www.ja-sig.org/wiki/display/CASC/phpCAS

With the version I was using, I would get a generic "You were not
authenticated" error after coming back to the CAS page with a ticket,
coupled with this error in the log:

UserError: ErrCode:NOTFOUNDREASON("%URL%" => "https://
gapps.cc.lehigh.edu/simplesaml3/module.php/casserver/proxyValidate?
service=http%3A%2F%2Flust.cc.lehigh.edu%2Fcastest%2F&ticket=ST-
f814a5b8b53b49ed6b18524636d5a6a3bb3baeb1ca", "%REASON%" => "The URL
wasn't found in the module.")

Indeed, it looks like there is no proxyValidate code anywhere in the
module.

I upgrade to the latest version of phpCAS, and now I get an infinite
redirect loop in the browser, coupled with the same error in the
apache log.

Is this simply an invalid test? (Should I try another CAS client?) Or
is this "proxyValidate" an unimplemented piece of the CAS server
module?

~Keith

>  casserver.tar.gz
> 3KViewDownload

Dubravko Voncina

unread,
Mar 23, 2010, 8:17:56 PM3/23/10
to simple...@googlegroups.com
Hi,

Yes, the proxyValidate is obviously not implemented, but I'm not sure
that you need it.
I can't really say that I'm a CAS expert, but if I understand things
correctly, your client should invoke the serviceValidate method instead
of proxyValidate.
CAS client determins which method it should invoke by the name of a
ticket. If ticket name begins with 'PT-', CAS client invokes the
proxyValidate method. If ticket name begins with 'ST-' (as in your
case), CAS client should invoke a serviceValidate method.
When I was trying to implement a casserver module for the first time, I
have performed testings with several different versions of phpCAS client
and almost every one of them had either a bug or some methods were
missing :-(
Which version of phpCAS client exactly are you using?
If I remember correctly, I've had an infinite loop problem with version
1.0.1 of phpCAS client, but with version 1.1.0 RC5 everything worked
fine for me.

Cheers,

Dubravko

Keith

unread,
Mar 24, 2010, 10:08:03 AM3/24/10
to simpleSAMLphp
Ha, it figures! When I was having trouble with the (very) old version
of phpCAS that I had, I went out and downloaded the "current" one,
which looks like it's 1.0.1.

I will try slightly earlier release. Thanks.

-Keith

> ...
>
> read more »

Keith

unread,
Mar 24, 2010, 10:35:51 AM3/24/10
to simpleSAMLphp
I downloaded 1.1.0RC8 and tried that. It no longer redirects
infinitely, but it fails spectacularly:

Warning: DOMDocument::loadXML() [domdocument.loadxml]: Opening and
ending tag mismatch: p line 56 and form in Entity, line: 75 in /var/
www/castest/CAS/domxml-php4-to-php5.php on line 72
Warning: DOMDocument::loadXML() [domdocument.loadxml]: Entity 'copy'
not defined in Entity, line: 88 in /var/www/castest/CAS/domxml-php4-to-
php5.php on line 72
Warning: DOMDocument::loadXML() [domdocument.loadxml]: Opening and
ending tag mismatch: form line 53 and div in Entity, line: 92 in /var/
www/castest/CAS/domxml-php4-to-php5.php on line 72
Warning: DOMDocument::loadXML() [domdocument.loadxml]: Opening and
ending tag mismatch: div line 21 and body in Entity, line: 96 in /var/
www/castest/CAS/domxml-php4-to-php5.php on line 72
Warning: DOMDocument::loadXML() [domdocument.loadxml]: Opening and
ending tag mismatch: body line 19 and html in Entity, line: 97 in /var/
www/castest/CAS/domxml-php4-to-php5.php on line 72
Warning: DOMDocument::loadXML() [domdocument.loadxml]: Premature end
of data in tag html line 2 in Entity, line: 97 in /var/www/castest/CAS/
domxml-php4-to-php5.php on line 72

CAS Authentication failed!
You were not authenticated.
You may submit your request again by clicking here.
If the problem persists, you may contact the administrator of this
site.

I'm using the example-simple.php file:

<?php
include_once('CAS.php');
phpCAS::setDebug();
phpCAS::client(CAS_VERSION_2_0,'gapps.cc.lehigh.edu',443,'/simplesaml3/
module.php/casserver');
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication();

if (isset($_REQUEST['logout'])) { phpCAS::logout(); }

?>
<html>
<head>
<title>phpCAS simple client</title>
</head>
<body>
<h1>Successfull Authentication!</h1>
<p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</
p>
<p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</
p>
<p><a href="?logout=">Logout</a></p>
</body>
</html>

Thoughts? I'm going to look for another CAS client to test.

~Keith

> ...
>
> read more »

Keith

unread,
Mar 24, 2010, 10:48:19 AM3/24/10
to simpleSAMLphp
Dubravko,

I installed and tested Apache2::AuthCASSimple, and it works perfectly
with the CAS server module.

( http://search.cpan.org/dist/Apache2-AuthCASSimple/lib/Apache2/AuthCASSimple.pm
)

So, it seems that the CAS server module is working. Am I missing
something, with phpCAS?

~Keith

> ...
>
> read more »

Dubravko Voncina

unread,
Mar 24, 2010, 10:57:15 AM3/24/10
to simple...@googlegroups.com
This failure looks more spectacular that it actually is :-)
It seems to me that for some reason CAS client didn't receive a valid
CAS message so XML parser couldn't parse it correctly.
Do you have a testing account which I could use to authenticate through
your CAS server using my CAS client?

Cheers,

Dubravko

>> read more �
>>
>
>

Keith

unread,
Mar 30, 2010, 3:04:39 PM3/30/10
to simpleSAMLphp
Dubravko,

Indeed you were correct. It works with 1.1.0RC5, but not 1.1.0RC8 or
1.0.1

I guess I'll stick with 1.1.0RC5 for now!

Thank you so much for all of your help. And I hope this thread will
help someone else, in the future.

~Keith

On Mar 24, 10:57 am, Dubravko Voncina <dubravko.vonc...@srce.hr>
wrote:


> This failure looks more spectacular that it actually is :-)

> It seems to me that for some reasonCASclient didn't receive a validCASmessage so XML parser couldn't parse it correctly.

> >CASAuthentication failed!

> > Thoughts? I'm going to look for anotherCASclient to test.


>
> > ~Keith
>
> > On Mar 24, 10:08 am, Keith <keith.erek...@gmail.com> wrote:
>
> >> Ha, it figures! When I was having trouble with the (very) old version
> >> of phpCAS that I had, I went out and downloaded the "current" one,
> >> which looks like it's 1.0.1.
>
> >> I will try slightly earlier release. Thanks.
>
> >> -Keith
>
> >> On Mar 23, 8:17 pm, Dubravko Voncina <dubravko.vonc...@srce.hr> wrote:
>
> >>> Hi,
>
> >>> Yes, the proxyValidate is obviously not implemented, but I'm not sure
> >>> that you need it.

> >>> I can't really say that I'm aCASexpert, but if I understand things


> >>> correctly, your client should invoke the serviceValidate method instead
> >>> of proxyValidate.

> >>>CASclient determins which method it should invoke by the name of a
> >>> ticket. If ticket name begins with 'PT-',CASclient invokes the


> >>> proxyValidate method. If ticket name begins with 'ST-' (as in your

> >>> case),CASclient should invoke a serviceValidate method.


> >>> When I was trying to implement a casserver module for the first time, I
> >>> have performed testings with several different versions of phpCAS client
> >>> and almost every one of them had either a bug or some methods were
> >>> missing :-(
> >>> Which version of phpCAS client exactly are you using?
> >>> If I remember correctly, I've had an infinite loop problem with version
> >>> 1.0.1 of phpCAS client, but with version 1.1.0 RC5 everything worked
> >>> fine for me.
>
> >>> Cheers,
>
> >>> Dubravko
>
> >>> Keith wrote:
>
> >>>> Dubravko,
>
> >>>> No worries. I'm not in a rush. Thanks for getting back to me. I've
> >>>> followed all of your steps below, and it's almost working. I'm seeing
> >>>> tickets created in the ticketcache directory.
>

> >>>> But my testing isn't working. I'm using the phpCASmodule from jasig:


>
> >>>>http://www.ja-sig.org/wiki/display/CASC/phpCAS
>
> >>>> With the version I was using, I would get a generic "You were not

> >>>> authenticated" error after coming back to theCASpage with a ticket,


> >>>> coupled with this error in the log:
>
> >>>> UserError: ErrCode:NOTFOUNDREASON("%URL%" => "https://
> >>>> gapps.cc.lehigh.edu/simplesaml3/module.php/casserver/proxyValidate?
> >>>> service=http%3A%2F%2Flust.cc.lehigh.edu%2Fcastest%2F&ticket=ST-
> >>>> f814a5b8b53b49ed6b18524636d5a6a3bb3baeb1ca", "%REASON%" => "The URL
> >>>> wasn't found in the module.")
>
> >>>> Indeed, it looks like there is no proxyValidate code anywhere in the
> >>>> module.
>
> >>>> I upgrade to the latest version of phpCAS, and now I get an infinite
> >>>> redirect loop in the browser, coupled with the same error in the
> >>>> apache log.
>

> >>>> Is this simply an invalid test? (Should I try anotherCASclient?) Or


> >>>> is this "proxyValidate" an unimplemented piece of theCASserver
> >>>> module?
>
> >>>> ~Keith
>
> >>>> On Mar 23, 7:16 am, Dubravko Voncina <dubravko.vonc...@srce.hr> wrote:
>
> >>>>> Hi Keith,
>
> >>>>> I apologize for the delay, Apache server on my testing machine started
> >>>>> to act a bit weird so I had to deal with that first :-(
> >>>>> I have attached an archive with modified casserver module to this
> >>>>> message. To make things work you have to do the following:
>
> >>>>> 1.) Unpack the casserver.tar.gz archive into your
> >>>>> /opt/simplesamlphp/modules/ folder.
>
> >>>>> 2.) After unpacking the archive, copy the
> >>>>> /opt/simplesamlphp/modules/casserver/config-templates/module_casserver.php
> >>>>> file into the folder /opt/simplesamlphp/config/
>
> >>>>> 3.) Modify 'legal_service_urls' parameter in the
> >>>>> /opt/simplesamlphp/config/module_casserver.php file so it allows

> >>>>> connections from yourCASclient (add the URL or IP address of yourCAS

> >>>>>> Is the new/betaCASserver module posted anywhere? I'd be happy to be

> ...
>
> read more »

Dominique

unread,
Apr 1, 2010, 10:31:32 AM4/1/10
to simpleSAMLphp
Thanks to point me that ! It works well !!!!

> ...
>
> read more »

Reply all
Reply to author
Forward
0 new messages