Central Authentication Service (CAS) for web developers

CAS is the Central Authentication Service for UGent. CAS allows you to log on to secured UGent pages using your account.

If you develop web applications which require user authentication, you can make use of CAS. CAS provides single sign on and single sign out and can return extra parameters along with the authenticated login name.


How CAS works

Your web application directs the user to the CAS login page.

Following authentication, CAS redirects the user to the original web application, which was passed within the url as service parameter. If the user is logged on to another web application, no login page will be presented. (= Single Sign On)

For single sign out, CAS sends a POST request to all applications the user is logged on to.

CAS can be tested using the instructions below. If you wish to use CAS for local development, you can use https://localhost:8080/**. No application is required for this.


Setting up a CAS client

Registration is required. Enter the following:

  1. your web application url
  2. a short descriptionof your web application
  3. the attributes you wish to use

URL

A registration is only possible when

  • the dns record must exist
  • the dns record must be registered by UGent DICT
  • the server hosting the url must be on the infrastructure of UGent DICT (no external hosting).
    Via a 301 redirect external hosted sites can use the CAS SR on a internal site.
  • the url must be hosted on a ssl / tls protected site. It must start with https://.
    For webshares this is provided automatically by DICT. For webservers on vm's you must provide this. See also: https://helpdesk.ugent.be/webhosting/csr.php
    The ssl certificate and installation is validated before the CAS SR will be approved.

CAS uses your web application url to compare the service parameter with the registered web applications. If a CAS redirect occurs in several pages of an application, you can enter the main url, followed by 2 *s (= wildcards). Be careful if you have other web applications in the same domain.

https://foo.UGent.be/bar/**

Attributes (optional)

By default, the login name (uid) is returned. Following LDAP attributes are available on demand:

  • mail
  • department
  • givenname
  • surname
  • objectClass
  • lastenrolled
  • jobcategory
  • addressingtitle
  • extcategory
  • ugentID
  • faculty

In this way, you can request LDAP attributes without having to resort to addressing the UGent LDAP from within your application . Based on the requirements of your applications, the above attribute list may be adapted.

Use CAS for authentication only, not for session management. You should provide session management in your application. Make sure that the authenticated login name is stored after successful authentication.


Examples for users


Simple CAS authentication on webshares

CAS is enabled by default on the webshare servers.
Authentication can be enabling by adding this to the .htaccess file on your webshare :

Authtype Cas
Require valid-user
This enables CAS and requires a successful login with an active UGent account
People without a UGent account, can't access your site.
Limiting access to a specific user :
Require user username
Replace 'username' by the actual username
This line can be used multiple times.
Other CAS attributes can be used as well :
Require cas-attribute surname:Peters
this allows access to people whose surname is 'Peters'
You can use any attribute that you enable in your CAS service registration.

More info is available on https://github.com/apereo/mod_auth_cas


Php examples

Note: If you experience problems updating your system, it is recommended to update the CAS client.


Requirements

PHP 7.3

  • −with-curl
  • −with-openssl
  • −with-dom
  • −with-zlib

General example

A php CAS library is available at: https://github.com/apereo/phpCAS.
The example below illustrates the use of the library:

Please adapt the certificate path to the actual certificate location! When the certificate path is incorrect, it will produce an infinite redirect loop error.

<?php

include_once('CAS.php');

//phpCAS::setDebug('/srv/vhost/mijnsite.ugent.be/htdocs/tmp/phpCAS.log'); // Schrijft debug informatie naar een log-file

// Parameters: CAS version, CAS server url, CAS server port, CAS server URI (same as host),
// boolean indicating session start
phpCAS::client(CAS_VERSION_2_0,'login.ugent.be',443,'', true);

// Server from which logout requests are sent
phpCAS::handleLogoutRequests(true, array('login.ugent.be'));

// Path to the "trusted certificate authorities" file:
phpCAS::setCasServerCACert('/etc/ssl/certs/ca-certificates.crt');
// No server verification (less safe!):
//phpCAS::setNoCasServerValidation();
// The actual user authentication
phpCAS::forceAuthentication();

// Handle logout requests
if (isset($_REQUEST['logout'])) {
        phpCAS::logout();
}


?>

<html>
  <head>
    <title>phpCAS simple client</title>
  </head>
  <body>
    <h1>Successful Authentication!</h1>

    <p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</p>
    <p>the attributes are:
    <?php
    echo '<ul>';
    $attr = phpCAS::getAttributes();
    foreach ($attr as $key => $value)
    {
        if(!is_array($value))
        {
                echo '<li>' . $key . ' => ' . $value . '</li>';
        }
        else
        {
                echo '<li>' . $key . '</li>';
                echo '<ul>';
                foreach($value as $v)
                {
                        echo '<li>' . $v . '</li>';
                }
                echo '</ul>';
        }
    }
    echo '</ul>';
    ?>

    </p>
    <p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p>
    <p><a href="?logout=">Logout</a></p>

  </body>
</html>


UGCAS_Simple example

This example is specifically designed for sites on UGent webshares, but can also be used in other places.

UGCAS_Simple is a CAS client module which returns the username of the person after a successful login.
No extra attributes nor logout are supported. UGCAS_Simple can be downloaded from UGCAS_Simple-0.3.zip and contains:

  • UGCAS_Simple.php: php cas module. Place it where php can find it.
  • hello.php: simple example
  • hello2.php: slightly extended example

Java example

Use the Java Apereo CAS Client.

With casServerUrlPrefix:

https://login.ugent.be
serverName:
https://YourCasService.ugent.be:443


Spring security

CAS authentication can be integrated into a Spring-based application using Spring Security.

Spring Security offers out-of-the-box support for CAS 3. Cfr. http://static.springsource.org/spring-security/site/docs/3.0.x/reference/cas.html for the excellent Spring Security online documentation.

You can download an example from CasSpringsecurityExample.zip . Developers must reconfigure the UserDetailService bean for their environment.


Maven

The Java CAS client can easily be integrated into a Maven-based build system:

<dependency>
    <groupId>org.jasig.cas</groupId>
    <artifactId>cas-client-core</artifactId>
    <version>3.6.4</version>

</dependency>
<dependency>
    <groupId>org.apereo.cas.client</groupId>
    <artifactId>cas-client-support-saml</artifactId>
    <version>${java.cas.client.version}</version>
</dependency>

SSL

Service tickets are validated over an SSL connection with the CAS server. It is therefore necessary that the CAS server certificate is installed into the JVM on which te Java application will run.

sudo $JAVA_HOME/bin/keytool -import -alias login.ugent.be -file CERTIFICATE_FILE
     -keystore $JAVA_HOME/jre/lib/security/cacerts

.NET example

Use the Apereo .NET CAS Client.

With casServerLoginUrl:

https://login.ugent.be/login
casServerUrlPrefix:
https://login.ugent.be
serverName:
https://YourCasService.ugent.be:443
ticketValidatorName:
Cas20