Table of Contents
...
- Will authentication include the release of attributes to your application?
- If yes, UH Data Governance guidelines apply. For each unique application you must submit a separate request. What that means is that you cannot register a single URL and host multiple applications under it.
- Is your application hosted on a non-UH server?
- If yes, your request may be subject to the UH Data Sharing Request process. Please send an inquiry to datagov@hawaii.edu or call 956-7487.
Register Your Application URL
...
url (DISABLED)
| Note |
|---|
Although Aperero's CAS protocol documentation describes the use the the url parameter, the Aperero developers have disabled it in recent versions of CAS to prevent potential abuse. Their explanation of the situation may be found in this thread from the cas-users mailing list. The url parameter defined in the former CAS 2.0 specification is not a valid parameter in CAS 3.0 anymore. CAS Servers MUST ignore given url parameters. |
Examples
To logout a user and prevent her from automatically logging back into a Web application, the Web application can forward the user to the Logout URL of UH Login. That URL will destroy the ticket-granting cookie that enables the single sign-on feature and gives the user a page that informs them that they have logged out of UH Login.
| No Format |
|---|
https://$WEBLOGIN-HOST/cas/logout
|
To logout a user and prevent her from automatically logging back into a Web application, the Web application can forward the user to the Logout URL of UH Login. That URL will destroy the ticket-granting cookie that enables the single sign-on feature and redirect the user to the URL identified by the service parameter.
| No Format |
|---|
https://$WEBLOGIN-HOST/cas/logout?service=https://myserver/myapp
|
| Info |
|---|
The URL provided by the service parameter must be registered to use UH Login. |
...
| Expand |
|---|
| title | Click to expand: config.php for phpCAS-1.6.0 |
|---|
|
| Code Block |
|---|
| <?php
/**
* The purpose of this central config file is configuring all examples
* in one place with minimal work for your working environment
* Just configure all the items in this config according to your environment
* and rename the file to config.php
*
* PHP Version 57
*
* @file config.php
* @category Authentication
* @package PhpCAS
* @author Joachim Fritschi <jfritschi@freenet.de>
* @author Adam Franco <afranco@middlebury.edu>
* @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
* @link https://wiki.jasig.org/display/CASC/phpCAS
*/
$phpcas_path = '/usr/lib/php/CAS-1.3.1/CAS../../source/';
///////////////////////////////////////
// Basic Config of the phpCAS client //
///////////////////////////////////////
// Full Hostname of your CAS Server
$cas_host = '$WEBLOGIN-HOSTcas.example.com';
// Context of the CAS Server.
// The phpCAS client will use this as the root directory for the CAS server and
// append
the required page calls.
$cas_context = '/cas';
// Port of your CAS server. Normally for a https server it's 443
$cas_port = 443;
// Path to the ca chain that issued the cas server certificate
(see above)
// If you are unable to set this path, you will not be able to use the
// phpCAS::setCasServerCACert($cas_server_ca_cert_path) method
$cas_server_ca_cert_path = '/$cas_server_ca_cert_path = '/path/to/cachain.pem';
//////////////////////////////////////////
// Advanced Config for special purposes //
//////////////////////////////////////////
// The "real" hosts of clustered cas server that send SAML logout messages
// Assumes the cas server is load balanced across multiple hosts
$cas_real_hosts = array('$WEBLOGIN-HOST'cas-real-1.example.com', 'cas-real-2.example.com');
// DatabaseClient config for the PGTrequired domain Storagename, should ifbe used.protocol, $dbhostname = 'pgsql:host=localhost;dbname=phpcas';
//$dband port
$client_service_name = 'mysql:host=http://127.0.0.1';
// Client config for cookie hardening
$client_domain = '127.0.0.1';
$client_path = 'phpcas';
$client_secure = true;
$client_httpOnly = true;
$client_lifetime = 0;
// Database config for PGT Storage
$db = 'pgsql:host=localhost;dbname=phpcas';
//$db = 'mysql:host=localhost;dbname=phpcas';
$db_user = 'phpcasuser';
$db_password = 'mysupersecretpass';
$db_table = 'phpcastabel';
$driver_options = '';
///////////////////////////////////////////
// End Configuration -- Don't edit below //
///////////////////////////////////////////
// Generating the URLS for the local cas example services for proxy testing
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
$curbase = 'https://' . $_SERVER['SERVER_NAME'];
} else {
$curbase = 'http://' . $_SERVER['SERVER_NAME'];
}
if ($_SERVER['SERVER_PORT'] != 80 && $_SERVER['SERVER_PORT'] != 443) {
$curbase .= ':' . $_SERVER['SERVER_PORT'];
}
$curdir = dirname($_SERVER['REQUEST_URI']) . "/";
// CAS client nodes for rebroadcasting pgtIou/pgtId and logoutRequest
$rebroadcast_node_1 = 'http://cas-client-1.example.com';
$rebroadcast_node_2 = 'http://cas-client-2.example.com';
// access to a single service
$serviceUrl = $curbase . $curdir . 'example_service.php';
// access to a second service
$serviceUrl2 = $curbase . $curdir . 'example_service_that_proxies.php';
$pgtBase = preg_quote(preg_replace('/^http:/', 'https:', $curbase . $curdir), '/');
$pgtUrlRegexp = '/^' . $pgtBase . '.*$/';
$cas_url = 'https://' . $cas_host;
if ($cas_port != '443') {
$cas_url = $cas_url . ':' . $cas_port;
}
$cas_url = $cas_url . $cas_context;
// Set the session-name to be unique to the current script so that the client script
// doesn't share its session with a proxied script.
// This is just useful when running the example code, but not normally.
session_name(
'session_for:-'
. preg_replace('/[^a-z0-9-]/i', '_', basename($_SERVER['SCRIPT_NAME']))
);
// Set an UTF-8 encoding header for internation characters (User attributes)
header('Content-Type: text/html; charset=utf-8');
?>
|
|
...
| Expand |
|---|
| title | Click to expand: Sample PHP code to authenticate and retrieve attributes |
|---|
|
| Code Block |
|---|
| //<?php
//**
phpCAS simple* clientAdvanced //
require_once 'Config.php';
// import phpCAS lib
require_once $phpcas_path . 'CAS.php';
// This file will capture debugging output, useful to see what your client is doing.
// Make sure your application has read/write permissions.
phpCAS::setDebug( "/filepath/to/your/log/file" );
// initialize phpCAS
// If you are interested in the return of user attributes, use the following
// parameter
phpCAS::client( example for SAML with attributes and single logout
*
* PHP Version 7
*
* @file example_advanced_saml11.php
* @category Authentication
* @package PhpCAS
* @author Joachim Fritschi <jfritschi@freenet.de>
* @author Adam Franco <afranco@middlebury.edu>
* @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
* @link https://wiki.jasig.org/display/CASC/phpCAS
*/
// Load the settings from the central config file
require_once 'config.php';
// Load the CAS lib
require_once $phpcas_path . '/CAS.php';
// Enable debugging
phpCAS::setLogger();
// Enable verbose error messages. Disable in production!
phpCAS::setVerbose(true);
// Initialize phpCAS
phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context, $cas_context $client_service_name);
// However, if you are only interested in user authentication, you can use
// the following:
// phpCAS::client( CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
// For production use set the CA certificate that is the issuer of the cert
// on the CAS server and uncomment the line below. Otherwise comment out this
// line and uncomment the phpCAS::setNoCasServerValidation() one
// Note, however, that if your App does not reside on the same server as CAS,
// you may run into problems determining the path to the certificate.
//
phpCAS::setCasServerCACert($cas_server_ca_cert_path);
// For quick testing you can disable SSL validation of the CAS server.
// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL!
// phpCAS::setNoCasServerValidation();
// Handle SAML logout requests that emanate from the CAS host exclusively.
// Failure to restrict SAML logout requests to authorized hosts could
// allow denial of service attacks where at the least the server is
// tied up parsing bogus XML messages.
phpCAS::handleLogoutRequests(true, $cas_real_hosts);
// Force CAS authentication on any page that includes this file
phpCAS::forceAuthentication();
// Renew CAS authentication with renew=true on any page that includes this file
// Use this in place of phpCAS::forceAuthentication();
// phpCAS::renewAuthentication();
// Some small code triggered by the logout ifbutton
desired
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}
?>
<html>
<head>
<title>phpCAS simple client<client with user attributes</title>
</head>
<body>
Authentication succeeded for user
<strong><?php echo phpCAS::getUser(); ?></strong>.
<h3>User Attributes</h3>
<ul>
<?php
foreach ( phpCAS::getAttributes() as $key => $value )
{
if ( is_array( $value ) )
{
echo '<li>', $key, ':<ol>';
foreach ( $value as $item )
{
echo '<li><strong>', $item, '</strong></li>';
}
echo '</ol></li>';
}
else
{
echo '<li>', $key, ': <strong>', $value, '</strong></li>';
}
}
?>
</ul>
<p><a href="?logout=">Logout</a></p>g
</body>
</html>
|
|
Theoretical examples of using CAS authentication across multiple pages, combined with using custom session variables.
...
Application Not Authorized to Use UH Login
Problem:
Your application cannot successfully authentication against CAS.
Example error message:
| Panel |
|---|
The application you attempted to authenticate to is not authorized to use UH Login. |
Solutions:
| Expand |
|---|
| Panel |
|---|
- If you have requested attributes, make sure you are using https.
- Check that the URL matches the URL specified in your original CAS URL registration request.
- Common errors
- Adding or leaving out "www" not in registered registered URL
- Using "http" as the protocol rather than "https"
|
|
...