Table of Contents
...
- Will authentication include the release of attributes to your application?
- If yes, UH Data Governance guidelines apply. For each unique application you must submit a separate request. What that means is that you cannot register a single URL and host multiple applications under it.
- Is your application hosted on a non-UH server?
- If yes, your request may be subject to the UH Data Sharing Request process. Please send an inquiry to datagov@hawaii.edu or call 956-7487.
Register Your Application URL
...
url (DISABLED)
| Note |
|---|
Although Aperero's CAS protocol documentation describes the use the the url parameter, the Aperero developers have disabled it in recent versions of CAS to prevent potential abuse. Their explanation of the situation may be found in this thread from the cas-users mailing list. The url parameter defined in the former CAS 2.0 specification is not a valid parameter in CAS 3.0 anymore. CAS Servers MUST ignore given url parameters. |
Examples
To logout a user and prevent her from automatically logging back into a Web application, the Web application can forward the user to the Logout URL of UH Login. That URL will destroy the ticket-granting cookie that enables the single sign-on feature and gives the user a page that informs them that they have logged out of UH Login.
| No Format |
|---|
https://$WEBLOGIN-HOST/cas/logout
|
To logout a user and prevent her from automatically logging back into a Web application, the Web application can forward the user to the Logout URL of UH Login. That URL will destroy the ticket-granting cookie that enables the single sign-on feature and redirect the user to the URL identified by the service parameter.
| No Format |
|---|
https://$WEBLOGIN-HOST/cas/logout?service=https://myserver/myapp
|
| Info |
|---|
The URL provided by the service parameter must be registered to use UH Login. |
...
| Expand |
|---|
| title | Click to expand: Example PHP code to retain CAS3 CAS authentication across multiple pages |
|---|
|
To use CAS across multiple pages, there are two ways to go about it: The first is to include your phpcas-test.php file at the top of each page. This serves to activate the phpCAS client and will determine if the user has authenticated or not. You can modify your phpcas-test.php file by first checking phpCAS::isAuthenticated() which returns a boolean true or false; if false you can forceAuthentication(). The second is if you intend to use custom session variables across your pages. phpCAS has its own session management values that may interfere with whatever you're doing, so the solution I came up with was storing those CAS values into my app's session variables. Please note that all examples provided here are extremely condensed, as I am only attempting to demonstrate how one can retain CAS session values along with app-specific session values. As such they should be treated more like pseudocode or an algorithm. | Code Block |
|---|
| ==========================================
index.php (summarized)
This page authenticates the user to my application. Here I check if the user
is authenticated, and if so, I capture the CAS3CAS session values and user
attributes.
==========================================
<?php
include_once( "../../lib/cas3cas.class.inc.php" )
// This file is similar to the phpcas-test.php example
// The inclusion of this file activates the phpCAS client, and can
// trigger the authentication of the user if they're not logged in.
// My cas3cas.class.inc.php file is below this example.
// Display session values, to double-check what we have
// The value of $DEBUG is set in my app's configuration file.
// You will notice that the session id and name are set by CAS3.
if ( $DEBUG ) {
if ( isset( $_SESSION ) ) {
print "<p />SESSION values set<br />";
print "Session ID: " . session_id() . "<br />";
print "Session Name: " . session_name(). "<br />";
print_r( $_SESSION );
print "<p />";
}
}
// Save the attributes
$cas_attributes = array();
foreach ( phpCAS::getAttributes() as $key => $value ) {
$cas_attributes[$key] = $value;
$DEBUG && print "phpCAS attribute: $key, Value: $value<br />";
}
// Save the token
$cas_token = session_id();
<!-- HTML form to log user into my application. I've cut out elements like -->
<!-- the text fields for username and password entry to focus on CAS3 session -->
<!-- Here, I am submitting the user attributes as hidden fields to the -->
<!-- next page that does the app authentication -->
<form action="app_authentication.php" name="logging_in" method="POST">
<input type="hidden" name="state" value="cas3cas_authenticated" />
<?php
foreach ( $cas_attributes as $name => $attribute ) {
if ( ! is_array($attribute) ) {
print '<input type="hidden" name="cas_attributes['.$name.']" value="'.$attribute.'" />';
}
else {
// Some CAS3CAS user attributes are multi-valued.
foreach ( attribute as $sub_name => $sub_attr ) {
print '<input type="hidden" name="cas_attributes['.$name.']['.$sub_name.']" value="'.$sub_attr.'" />';
}
}
}
?>
<input type="hidden" name="cas_token" value="<?php print $cas_token; ?>" />
</form>
?>
|
| Code Block |
|---|
| title | cas3cas.class.inc.php |
|---|
| ==========================================
cas3cas.class.inc.php
simplified version
==========================================
<?php
require_once "PHPCAS_CONFIG.php"; // this is my config file
require_once $phpcas_path . "CAS.php"; // import phpCAS
phpCAS::setDebug( "/filepath/to/where/i/store/app/logs/cas_debug.log" );
phpCAS::client( SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context, $client_service_name );
phpCAS::setCasServerCACert( $cas_server_ca_cert_path );
phpCAS::handleLogoutRequests( TRUE, $cas_real_hosts );
// If the user isn't authenticated, force authentication
// Here is where we determine if a user has logged in via CAS3CAS
if ( ! phpCAS::isAuthenticated() ) {
phpCAS::forceAuthentication();
}
if ( isset( $_GET['logout'] ) ) {
phpCAS::logout();
}
?>
|
| Code Block |
|---|
| title | app_authentication.php |
|---|
| ==========================================
app_authentication.php
This page just handles authenticating my application, as users have passwords
that are not the same as their UH account passwords.
==========================================
<?php
// IMPORTANT!
// Note that I do not include cas3cas.class.inc.php in this page! If I did,
// phpCAS removes my app's session in order to use its own, and I end up losing
// the user-submitted form in the same process.
// Check if we have the POSTed "state" value of "cas3cas_authenticated" from index.php
if ( (! isset( $_POST['state']) ) || ($_POST['state'] != 'cas3cas_authenticated') ) {
header( "Location: index.php?error=unauthenticated" );
exit();
}
// Grab the username, app password, and CAS values
$entered_username = $_POST[ 'username' ];
$entered_password = $_POST[ 'password' ];
$cas_attributes = $_POST[ 'cas_attributes' ];
$cas_token = $_POST[ 'cas_token' ];
// Start a new session (non CAS session)
session_name( $PHP_SESS_ID ); // This is set in my app's config file so I can reuse and recall anywhere
if ( ! session_start() ) {
die( "Could not start non-CAS session!" );
}
// Debugging statements, to ensure the values and constants are what I expect them to be.
// Note here that the session id and name should be values that I just set.
$DEBUG && print "
<p />
Session Name: ".session_name()."<br />
Session ID: ".session_id()."<br />
APP HOST: $APP_HOST<br />
LDAP: $LDAP_HOST<br />
Location: ".$_SERVER['PHP_SELF']."
<p />
";
// Assume I have code to validate the user's name and password.
// Next I store the CAS attributes and token into my currently-active session ($PHP_SESS_ID)
if ( $user_validated ) {
$_SESSION[ $CAS_ATTRIBUTES ] = $cas_attributes;
$_SESSION[ $CAS_TOKEN ] = $cas_token;
}
?>
|
| Code Block |
|---|
| ==========================================
all other pages in my application
Now that I have stored the CAS3CAS token and attributes, I can access them
in the rest of my application.
==========================================
<?php
// I still do not include the cas3cas.class.inc.php page
# Start a new session (non CAS session)
session_name( $PHPSESSID );
if ( (! isset( $_SESSION)) || (! $_SESSION) ) {
if ( ! session_start() ) {
die( "Cannot start non-CAS session!");
}
}
// Here I check that the user has a CAS3CAS token (which was set in app_authentication.php)
if ( (! isset( $_SESSION[$CAS_TOKEN] )) || ($_SESSION[$CAS_TOKEN] == $EMPTY_STR) ) {
$file->write_log_file( "Unauthenticated access to ".$_SERVER['PHP_SELF'], $LOG_DIR.$LOG_WEBLOG );
header( "Location: index.php?error=unauthenticated" ); // index.php has an error-handler.
exit();
}
$cas_attributes = $_SESSION[ $CAS_ATTRIBUTES ];
$uh_username = $cas_attributes[ $UID ];
$uh_number = $cas_attributes[ $UHUUID ];
// session id and name should still be the values I set, not CAS3CAS's values.
// You could also include the CAS3CAS values in this debug statement if you
// wanted to verify retention and accuracy.
$DEBUG && print "
<p />
Session Name: ".session_name()."<br />
Session ID: ".session_id()."<br />
APP HOST: $APP_HOST<br />
LDAP: $LDAP_HOST<br />
USER: $uh_username<br />
UHUUID: $uh_number<br />
Location: ".$_SERVER['PHP_SELF']."
<p />
";
?>
|
|
...
Application Not Authorized to Use UH Login
Problem:
Your application cannot successfully authentication against CAS.
Example error message:
| Panel |
|---|
The application you attempted to authenticate to is not authorized to use UH Login. |
Solutions:
| Expand |
|---|
| Panel |
|---|
- If you have requested attributes, make sure you are using https.
- Check that the URL matches the URL specified in your original CAS URL registration request.
- Common errors
- Adding or leaving out "www" not in registered registered URL
- Using "http" as the protocol rather than "https"
|
|
...