CAS is the Central Authentication Service for UGent. CAS allows you to log on to secured UGent pages using your account.
If you develop web applications which require user authentication, you can make use of CAS. CAS provides single sign on and single sign out and can return extra parameters along with the authenticated login name.
Your web application directs the user to the CAS login page.
Following authentication, CAS redirects the user to the original web application, which was passed within the url as service parameter. If the user is logged on to another web application, no login page will be presented. (= Single Sign On)
For single sign out, CAS sends a POST request to all applications the user is logged on to.
CAS can be tested using the instructions below. If you wish to use CAS for local development, you can use https://localhost:8080/**. No application is required for this.
Registration is required. Enter the following:
A registration is only possible when
CAS uses your web application url to compare the service parameter with the registered web applications. If a CAS redirect occurs in several pages of an application, you can enter the main url, followed by 2 *s (= wildcards). Be careful if you have other web applications in the same domain.
https://foo.UGent.be/bar/**
By default, the login name (uid) is returned. Following LDAP attributes are available on demand:
In this way, you can request LDAP attributes without having to resort to addressing the UGent LDAP from within your application . Based on the requirements of your applications, the above attribute list may be adapted.
Use CAS for authentication only, not for session management. You should provide session management in your application. Make sure that the authenticated login name is stored after successful authentication.
CAS is enabled by default on the webshare servers.
Authentication can be enabling by adding this to the .htaccess file on your webshare :
Authtype Cas Require valid-userThis enables CAS and requires a successful login with an active UGent account
Require user usernameReplace 'username' by the actual username
Require cas-attribute surname:Petersthis allows access to people whose surname is 'Peters'
More info is available on https://github.com/apereo/mod_auth_cas
Note: If you experience problems updating your system, it is recommended to update the CAS client.
Requirements
PHP 7.3
General example
A php CAS library is available at: https://github.com/apereo/phpCAS : Download the latest version.
The example below illustrates the use of the library:
Please adapt the certificate path to the actual certificate location! When the certificate path is incorrect, it will produce an infinite redirect loop error.
<?php
include_once('CAS.php');
//phpCAS::setDebug('/srv/vhost/mijnsite.ugent.be/htdocs/tmp/phpCAS.log'); // Schrijft debug informatie naar een log-file
// Parameters: CAS version, CAS server url, CAS server port, CAS server URI (same as host),
// boolean indicating session start
phpCAS::client(CAS_VERSION_2_0,'login.ugent.be',443,'', true);
// Server from which logout requests are sent
phpCAS::handleLogoutRequests(true, array('login.ugent.be'));
// Path to the "trusted certificate authorities" file:
phpCAS::setCasServerCACert('/etc/ssl/certs/ca-certificates.crt');
// No server verification (less safe!):
//phpCAS::setNoCasServerValidation();
// The actual user authentication
phpCAS::forceAuthentication();
// Handle logout requests
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}
?>
<html>
<head>
<title>phpCAS simple client</title>
</head>
<body>
<h1>Successfull Authentication!</h1>
<p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</p>
<p>the attributes are:
<?php
echo '<ul>';
$attr = phpCAS::getAttributes();
foreach ($attr as $key => $value)
{
if(!is_array($value))
{
echo '<li>' . $key . ' => ' . $value . '</li>';
}
else
{
echo '<li>' . $key . '</li>';
echo '<ul>';
foreach($value as $v)
{
echo '<li>' . $v . '</li>';
}
echo '</ul>';
}
}
echo '</ul>';
?>
</p>
<p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p>
<p><a href="?logout=">Logout</a></p>
</body>
</html>
This example is specifically designed for sites on UGent webshares, but can also be used in other places.
UGCAS_Simple is a CAS client module which returns the username of the person after a successful login.
No extra attributes nor logout are supported. UGCAS_Simple can be downloaded from UGCAS_Simple-0.3.zip and contains:
Use the Java Apereo CAS Client.
With casServerUrlPrefix:
https://login.ugent.beserverName:
https://YourCasService.ugent.be:443
Spring security
CAS authentication can be integrated into a Spring-based application using Spring Security.
Spring Security offers out-of-the-box support for CAS 3. Cfr. http://static.springsource.org/spring-security/site/docs/3.0.x/reference/cas.html for the excellent Spring Security online documentation.
You can download an example from CasSpringsecurityExample.zip . Developers must reconfigure the UserDetailService bean for their environment.
Maven
The Java CAS client can easily be integrated into a Maven-based build system:
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.6.4</version>
</dependency>
<dependency>
<groupId>org.apereo.cas.client</groupId>
<artifactId>cas-client-support-saml</artifactId>
<version>${java.cas.client.version}</version>
</dependency>
SSL
Service tickets are validated over an SSL connection with the CAS server. It is therefore necessary that the CAS server certificate is installed into the JVM on which te Java application will run.
sudo $JAVA_HOME/bin/keytool -import -alias login.ugent.be -file CERTIFICATE_FILE
-keystore $JAVA_HOME/jre/lib/security/cacerts
Use the Apereo .NET CAS Client.
With casServerLoginUrl:
https://login.ugent.be/logincasServerUrlPrefix:
https://login.ugent.beserverName:
https://YourCasService.ugent.be:443ticketValidatorName:
Cas20