CAS Server documentation?
Keith
All we have been using it for is to auth Google Apps to LDAP (so far).
I notice that there's now a CAS server module, but the only
documentation I can find about it is:
http://rnd.feide.no/content/simplesamlphp-cas-server-support
I have been unable to set up SAML idp/sp metadata to get the CAS
server to work. I'm currently trying on a fresh install of
simpleSAMLphp 1.5.1. All I have done to it is configured an entry in
authsources.php for our LDAP server, and confirmed that it works in
the admin web interface.
Can anyone point me at some more documentation? Or perhaps share some
conf?
As a proof of concept, I'd like to get the CAS server using
simpleSAMLphp's SAML (or shibboleth, I guess) to auth to LDAP. Is this
even possible?
~Keith
Francisco Estanqueiro
Read this:
http://simplesamlphp.googlecode.com/svn/trunk/modules/cas/docs/cas.txt
Its working fine for me.
Francisco
Keith
fetching attributes from LDAP?
I'm not interested in authenticating to CAS, but rather using the CAS
server functionality of simpleSAMLphp (provided by the 'casserver'
module).
~Keith
On Mar 16, 9:24 am, Francisco Estanqueiro <fwestanque...@fc.ul.pt>
wrote:
Dubravko Voncina
As far as I know, there's no additional documentation except what is
written on
http://rnd.feide.no/content/simplesamlphp-cas-server-support
but maybe I can help. To implement CAS authentication server you have to
configure your simpleSAMLphp IdP both as IdP and SP. Did you do that?
Btw, if it's not secret, what is the URL of your testing simpleSAMLphp
IdP? It would help if I could have a look at your actual simpleSAMLphp
configuration.
Cheers,
Dubravko Voncina
Srce - University Computing Centre
University of Zagreb, Croatia
Keith
Thanks for the prompt reply!
I have a clean slate to work with, right now.
In our production setup (which is on gapps.cc.lehigh.edu for what it's
worth), we're using the Google Apps config (
http://simplesamlphp.org/docs/1.5/simplesamlphp-googleapps#section_7_2
), and this saml20-idp-hosted.php:
--------------------------------------------------------
$metadata['__DYNAMIC:1__'] = array(
'host' => '__DEFAULT__',
'privatekey' => 'realcert.pem',
'certificate' => 'realcert.crt',
// 'auth' => 'lehigh-ldap',
'auth' => 'auth/login.php',
);
--------------------------------------------------------
As I understand it, using auth/login.php (which uses values from
config/ldap.php) is the "old way", and using lehigh-ldap (which is
defined in authsources.php) is the "new way".
We're currently using the old method, because we had modified
login.php to log the IP of our on-campus users for troubleshooting
purposes, but both methods work.
I see that the documentation refers to saml20-sp-hosted.php, but I do
not have this sample file. I tried using a generic one, basically
copied from shib13-sp-hosted.php, but was unable to get it to work. So
currently, it is not set up as a SAML SP.
Keith
You can see my failed attempt at modifying the default-sp to use my
hosted SAML IDP here:
https://gapps.cc.lehigh.edu/simplesaml2/module.php/core/authenticate.php?as=default-sp
And the working lehigh-ldap IDP here:
https://gapps.cc.lehigh.edu/simplesaml2/module.php/core/authenticate.php?as=lehigh-ldap
At this point, though, there are so many "I wonder if this will help"
changes all over the place, that I'm writing off the "simplesaml2"
instance.
~Keith
On Mar 16, 9:59 am, Dubravko Voncina <dubravko.vonc...@srce.hr> wrote:
Dubravko Voncina
In latest stable version of simpleSAMLphp 'saml20-sp-hosted.php'
configuration file is no longer used. Unfortunatelly, casserver module
is written for older versions of simpleSAMLphp so it calls some
deprecated functions/methods which require saml20-sp-hosted.php file.
I have a testing environment in which I made a modified version of
casserver module that works with simplesamlphp 1.5.1 (without
saml20-sp-hosted.php file), but first you'll have to configure your
simpleSAMLphp IdP to work properly with this module.
If I'm guessing correctly, you installed simpleSAMLphp in folder
/opt/simplesamlphp/, so first you have to create file
/opt/simplesamlphp/metadata/saml20-idp-remote.php
with the following content:
<?php
$metadata['https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/metadata.php']
= array (
'SingleSignOnService' =>
'https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/SSOService.php',
'SingleLogoutService' =>
'https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/SingleLogoutService.php',
'certFingerprint' => '8b41b4d38f2d47d329d2c1cb0d868c46f1d1c78d',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);
?>
After that, you'll have to edit the
/opt/simplesamlphp/metadata/saml20-sp-remote.php file and add the
following code:
$metadata['https://gapps.cc.lehigh.edu/simplesaml/module.php/saml/sp/metadata.php/default-sp']
= array (
'AssertionConsumerService' =>
'https://gapps.cc.lehigh.edu/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' =>
'https://gapps.cc.lehigh.edu/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
);
Finally, in /opt/simplesamlphp/config/authsources.php file find the
'default-sp' block and modify it so it looks like this:
'default-sp' => array(
'saml:SP',
'entityID' => NULL,
'idp' =>
'https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/metadata.php',
'discoURL' => NULL,
),
Now, when you point your web browser to
https://gapps.cc.lehigh.edu/simplesaml/module.php/core/authenticate.php
and click on 'default-sp', you should be redirected to your LDAP login
service (same as if you clicked on 'lehigh-ldap'). Try to authenticate
and see what happens. If you manage to authenticate successfully, this
means that your simpleSAMLphp is properly configured for implementation
of a casserver module.
When you make sure that you configured your simpleSAMLphp properly,
please send me a mail and I will send you an archive with a casserver
module that works with simpleSAMLphp 1.5.1. Meanwhile, I'll write a
short instructions on how to deploy and configure this module in
simpleSAMLphp 1.5.1.
Dubravko Voncina
I apologize for the delay, Apache server on my testing machine started
to act a bit weird so I had to deal with that first :-(
I have attached an archive with modified casserver module to this
message. To make things work you have to do the following:
1.) Unpack the casserver.tar.gz archive into your
/opt/simplesamlphp/modules/ folder.
2.) After unpacking the archive, copy the
/opt/simplesamlphp/modules/casserver/config-templates/module_casserver.php
file into the folder /opt/simplesamlphp/config/
3.) Modify 'legal_service_urls' parameter in the
/opt/simplesamlphp/config/module_casserver.php file so it allows
connections from your CAS client (add the URL or IP address of your CAS
client). If necessary, modify also 'attrname' and 'attributes' parameters.
4.) In the /opt/simplesamlphp/ folder create the folder named
'ticketcache' and make sure that Apache has a read-write permissions on
it. This is the folder in which casserver module stores tickets for the
authenticated users.
5.) In the /opt/simplesamlphp/www/ folder create a .htaccess file with
the following content
RewriteEngine On
RewriteRule ^module.php/casserver/login$
../module.php/casserver/login.php [L]
RewriteRule ^module.php/casserver/serviceValidate$
../module.php/casserver/serviceValidate.php [L]
RewriteRule ^module.php/casserver/validate$
../module.php/casserver/validate.php [L]
and make sure Apache is configured to allow execution of .htaccess
files. If everything goes well, after following these steps you should
have a working CAS server.
To authenticate users through your new CAS server, in your CAS client
you should set the following parameters:
CAS_HOST: 'gapps.cc.lehigh.edu'
CAS_PORT: 443
CAS_PATH: '/simplesaml/module.php/casserver'
Cheers,
Dubravko Voncina
Srce - University Computing Centre
University of Zagreb, Croatia
Keith wrote:
> Dubravko,
>
> Thank you so much! It's amazing how well things work when you
> configure them correctly.
>
> Using your instructions, it looks like the default-sp is working
> correctly, authing to LDAP via SAML.
>
> Is the new/beta CAS server module posted anywhere? I'd be happy to be
> a tester.
>
> ~Keith
>
> On Mar 16, 10:57 pm, Dubravko Voncina <dubravko.vonc...@srce.hr>
> wrote:
>
>> Hi Keith,
>>
>> In latest stable version of simpleSAMLphp 'saml20-sp-hosted.php'
>> configuration file is no longer used. Unfortunatelly, casserver module
>> is written for older versions of simpleSAMLphp so it calls some
>> deprecated functions/methods which require saml20-sp-hosted.php file.
>> I have a testing environment in which I made a modified version of
>> casserver module that works with simplesamlphp 1.5.1 (without
>> saml20-sp-hosted.php file), but first you'll have to configure your
>> simpleSAMLphp IdP to work properly with this module.
>>
>> If I'm guessing correctly, you installed simpleSAMLphp in folder
>> /opt/simplesamlphp/, so first you have to create file
>>
>> /opt/simplesamlphp/metadata/saml20-idp-remote.php
>>
>> with the following content:
>>
>> <?php
>>
>> $metadata['https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/metadata.php']
>> = array (
>> 'SingleSignOnService' =>
>> 'https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/SSOService.php',
>> 'SingleLogoutService' =>
>> 'https://gapps.cc.lehigh.edu/simplesaml/saml2/idp/SingleLogoutService....,
>> 'certFingerprint' => '8b41b4d38f2d47d329d2c1cb0d868c46f1d1c78d',
>> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
>> );
>> ?>
>>
>> After that, you'll have to edit the
>> /opt/simplesamlphp/metadata/saml20-sp-remote.php file and add the
>> following code:
>>
>> $metadata['https://gapps.cc.lehigh.edu/simplesaml/module.php/saml/sp/metadata.ph...]
>> = array (
>> 'AssertionConsumerService' =>
>> 'https://gapps.cc.lehigh.edu/simplesaml/module.php/saml/sp/saml2-acs.p...,
>> 'SingleLogoutService' =>
>> 'https://gapps.cc.lehigh.edu/simplesaml/module.php/saml/sp/saml2-logou...,
Keith
No worries. I'm not in a rush. Thanks for getting back to me. I've
followed all of your steps below, and it's almost working. I'm seeing
tickets created in the ticketcache directory.
But my testing isn't working. I'm using the php CAS module from jasig:
http://www.ja-sig.org/wiki/display/CASC/phpCAS
With the version I was using, I would get a generic "You were not
authenticated" error after coming back to the CAS page with a ticket,
coupled with this error in the log:
UserError: ErrCode:NOTFOUNDREASON("%URL%" => "https://
gapps.cc.lehigh.edu/simplesaml3/module.php/casserver/proxyValidate?
service=http%3A%2F%2Flust.cc.lehigh.edu%2Fcastest%2F&ticket=ST-
f814a5b8b53b49ed6b18524636d5a6a3bb3baeb1ca", "%REASON%" => "The URL
wasn't found in the module.")
Indeed, it looks like there is no proxyValidate code anywhere in the
module.
I upgrade to the latest version of phpCAS, and now I get an infinite
redirect loop in the browser, coupled with the same error in the
apache log.
Is this simply an invalid test? (Should I try another CAS client?) Or
is this "proxyValidate" an unimplemented piece of the CAS server
module?
~Keith
> casserver.tar.gz
> 3KViewDownload
Dubravko Voncina
Yes, the proxyValidate is obviously not implemented, but I'm not sure
that you need it.
I can't really say that I'm a CAS expert, but if I understand things
correctly, your client should invoke the serviceValidate method instead
of proxyValidate.
CAS client determins which method it should invoke by the name of a
ticket. If ticket name begins with 'PT-', CAS client invokes the
proxyValidate method. If ticket name begins with 'ST-' (as in your
case), CAS client should invoke a serviceValidate method.
When I was trying to implement a casserver module for the first time, I
have performed testings with several different versions of phpCAS client
and almost every one of them had either a bug or some methods were
missing :-(
Which version of phpCAS client exactly are you using?
If I remember correctly, I've had an infinite loop problem with version
1.0.1 of phpCAS client, but with version 1.1.0 RC5 everything worked
fine for me.
Cheers,
Dubravko
Keith
of phpCAS that I had, I went out and downloaded the "current" one,
which looks like it's 1.0.1.
I will try slightly earlier release. Thanks.
-Keith
> ...
>
> read more »
Keith
infinitely, but it fails spectacularly:
Warning: DOMDocument::loadXML() [domdocument.loadxml]: Opening and
ending tag mismatch: p line 56 and form in Entity, line: 75 in /var/
www/castest/CAS/domxml-php4-to-php5.php on line 72
Warning: DOMDocument::loadXML() [domdocument.loadxml]: Entity 'copy'
not defined in Entity, line: 88 in /var/www/castest/CAS/domxml-php4-to-
php5.php on line 72
Warning: DOMDocument::loadXML() [domdocument.loadxml]: Opening and
ending tag mismatch: form line 53 and div in Entity, line: 92 in /var/
www/castest/CAS/domxml-php4-to-php5.php on line 72
Warning: DOMDocument::loadXML() [domdocument.loadxml]: Opening and
ending tag mismatch: div line 21 and body in Entity, line: 96 in /var/
www/castest/CAS/domxml-php4-to-php5.php on line 72
Warning: DOMDocument::loadXML() [domdocument.loadxml]: Opening and
ending tag mismatch: body line 19 and html in Entity, line: 97 in /var/
www/castest/CAS/domxml-php4-to-php5.php on line 72
Warning: DOMDocument::loadXML() [domdocument.loadxml]: Premature end
of data in tag html line 2 in Entity, line: 97 in /var/www/castest/CAS/
domxml-php4-to-php5.php on line 72
CAS Authentication failed!
You were not authenticated.
You may submit your request again by clicking here.
If the problem persists, you may contact the administrator of this
site.
I'm using the example-simple.php file:
<?php
include_once('CAS.php');
phpCAS::setDebug();
phpCAS::client(CAS_VERSION_2_0,'gapps.cc.lehigh.edu',443,'/simplesaml3/
module.php/casserver');
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication();
if (isset($_REQUEST['logout'])) { phpCAS::logout(); }
?>
<html>
<head>
<title>phpCAS simple client</title>
</head>
<body>
<h1>Successfull Authentication!</h1>
<p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</
p>
<p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</
p>
<p><a href="?logout=">Logout</a></p>
</body>
</html>
Thoughts? I'm going to look for another CAS client to test.
~Keith
> ...
>
> read more »
Keith
I installed and tested Apache2::AuthCASSimple, and it works perfectly
with the CAS server module.
( http://search.cpan.org/dist/Apache2-AuthCASSimple/lib/Apache2/AuthCASSimple.pm
)
So, it seems that the CAS server module is working. Am I missing
something, with phpCAS?
~Keith
> ...
>
> read more »
Dubravko Voncina
It seems to me that for some reason CAS client didn't receive a valid
CAS message so XML parser couldn't parse it correctly.
Do you have a testing account which I could use to authenticate through
your CAS server using my CAS client?
Cheers,
Dubravko
>> read more �
>>
>
>
Keith
Indeed you were correct. It works with 1.1.0RC5, but not 1.1.0RC8 or
1.0.1
I guess I'll stick with 1.1.0RC5 for now!
Thank you so much for all of your help. And I hope this thread will
help someone else, in the future.
~Keith
On Mar 24, 10:57 am, Dubravko Voncina <dubravko.vonc...@srce.hr>
wrote:
> This failure looks more spectacular that it actually is :-)
> It seems to me that for some reasonCASclient didn't receive a validCASmessage so XML parser couldn't parse it correctly.
> >CASAuthentication failed!
> > Thoughts? I'm going to look for anotherCASclient to test.
>
> > ~Keith
>
> > On Mar 24, 10:08 am, Keith <keith.erek...@gmail.com> wrote:
>
> >> Ha, it figures! When I was having trouble with the (very) old version
> >> of phpCAS that I had, I went out and downloaded the "current" one,
> >> which looks like it's 1.0.1.
>
> >> I will try slightly earlier release. Thanks.
>
> >> -Keith
>
> >> On Mar 23, 8:17 pm, Dubravko Voncina <dubravko.vonc...@srce.hr> wrote:
>
> >>> Hi,
>
> >>> Yes, the proxyValidate is obviously not implemented, but I'm not sure
> >>> that you need it.
> >>> I can't really say that I'm aCASexpert, but if I understand things
> >>> correctly, your client should invoke the serviceValidate method instead
> >>> of proxyValidate.
> >>>CASclient determins which method it should invoke by the name of a
> >>> ticket. If ticket name begins with 'PT-',CASclient invokes the
> >>> proxyValidate method. If ticket name begins with 'ST-' (as in your
> >>> case),CASclient should invoke a serviceValidate method.
> >>> When I was trying to implement a casserver module for the first time, I
> >>> have performed testings with several different versions of phpCAS client
> >>> and almost every one of them had either a bug or some methods were
> >>> missing :-(
> >>> Which version of phpCAS client exactly are you using?
> >>> If I remember correctly, I've had an infinite loop problem with version
> >>> 1.0.1 of phpCAS client, but with version 1.1.0 RC5 everything worked
> >>> fine for me.
>
> >>> Cheers,
>
> >>> Dubravko
>
> >>> Keith wrote:
>
> >>>> Dubravko,
>
> >>>> No worries. I'm not in a rush. Thanks for getting back to me. I've
> >>>> followed all of your steps below, and it's almost working. I'm seeing
> >>>> tickets created in the ticketcache directory.
>
> >>>> But my testing isn't working. I'm using the phpCASmodule from jasig:
>
> >>>>http://www.ja-sig.org/wiki/display/CASC/phpCAS
>
> >>>> With the version I was using, I would get a generic "You were not
> >>>> authenticated" error after coming back to theCASpage with a ticket,
> >>>> coupled with this error in the log:
>
> >>>> UserError: ErrCode:NOTFOUNDREASON("%URL%" => "https://
> >>>> gapps.cc.lehigh.edu/simplesaml3/module.php/casserver/proxyValidate?
> >>>> service=http%3A%2F%2Flust.cc.lehigh.edu%2Fcastest%2F&ticket=ST-
> >>>> f814a5b8b53b49ed6b18524636d5a6a3bb3baeb1ca", "%REASON%" => "The URL
> >>>> wasn't found in the module.")
>
> >>>> Indeed, it looks like there is no proxyValidate code anywhere in the
> >>>> module.
>
> >>>> I upgrade to the latest version of phpCAS, and now I get an infinite
> >>>> redirect loop in the browser, coupled with the same error in the
> >>>> apache log.
>
> >>>> Is this simply an invalid test? (Should I try anotherCASclient?) Or
> >>>> is this "proxyValidate" an unimplemented piece of theCASserver
> >>>> module?
>
> >>>> ~Keith
>
> >>>> On Mar 23, 7:16 am, Dubravko Voncina <dubravko.vonc...@srce.hr> wrote:
>
> >>>>> Hi Keith,
>
> >>>>> I apologize for the delay, Apache server on my testing machine started
> >>>>> to act a bit weird so I had to deal with that first :-(
> >>>>> I have attached an archive with modified casserver module to this
> >>>>> message. To make things work you have to do the following:
>
> >>>>> 1.) Unpack the casserver.tar.gz archive into your
> >>>>> /opt/simplesamlphp/modules/ folder.
>
> >>>>> 2.) After unpacking the archive, copy the
> >>>>> /opt/simplesamlphp/modules/casserver/config-templates/module_casserver.php
> >>>>> file into the folder /opt/simplesamlphp/config/
>
> >>>>> 3.) Modify 'legal_service_urls' parameter in the
> >>>>> /opt/simplesamlphp/config/module_casserver.php file so it allows
> >>>>> connections from yourCASclient (add the URL or IP address of yourCAS
> >>>>>> Is the new/betaCASserver module posted anywhere? I'd be happy to be
> ...
>
> read more »
Dominique
> ...
>
> read more »