December 15, 2011

Drupal Integration with CAS for SSO

Drupal Integration with CAS for SSO

Step 1:

Requirements
============
PHP 5 with the following modules:
curl, openssl, dom, zlib, and xml

Download phpCAS from https://wiki.jasig.org/display/CASC/phpCAS
phpCAS version 1.0.0 or later.

There are several locations you can install the phpCAS library.

1. Module directory installation. This means installing the library folder
under the moduels directory, so that the file
sites//modules/cas/CAS/CAS.php exists.

2. System wide installation. See the phpCAS installation guide, currently at
https://wiki.jasig.org/display/CASC/phpCAS+installation+guide

3. Libraries API installation. Install and enable the Libraries API module,
available at http://drupal.org/project/libraries. Then extract phpCAS so
that sites//libraries/CAS/CAS.php exists. For example:
$ cd sites/all/libraries
$ curl http://downloads.jasig.org/cas-clients/php/current.tgz | tar xz
$ mv CAS-* CAS

Step 2:

Download respective CAS Module from the link: http://drupal.org/project/cas

Place the cas folder in your Drupal modules directory.

Step 3:

Configuring CAS

Navigate to the CAS module configuration page at
Admin >> Users >> CAS Settings (D6)
Admin >> Configuration >> People >> CAS settings (D7)
Library (phpCAS)

If phpCAS has been successfully installed, the version number of phpCAS will be displayed. Otherwise information is provided to help you install and configure phpCAS.
CAS Server

Enter in the CAS server location. For example, if the CAS server is at https://www.example.com/cas, enter
Hostname or IP Address: www.example.com
Port: 443
URI: /cas

For extra security, you may also provide the PEM Certificate of the Certificate Authority which issued the certificate of the CAS server.
Login Form

These settings control how users may log into CAS using the user login form, either as displayed in a block or at user/login. Many installations will choose "Add link to login forms" or "Make CAS login default on login forms."

Additionally, the phrases used on the login forms may be customized for your particular brand.
User Accounts

Each CAS user must have a Drupal account before they can log in. By default, the administrator must create the account and then assign the CAS username to the account.

Selecting "Automatically create Drupal accounts" allows the administrator to skip pre-creating Drupal accounts and instead have Drupal accounts automatically be created when a CAS user first logs in.

By default, the Drupal account will be created with a bare minimum of information:
Name: CAS username
E-mail: empty
Roles: authenticated user
Password: A random string which is not displayed to the user

The e-mail address field may be populated if the e-mail addresses follow a predictable pattern based upon the CAS username — for example username@example.com.

Additional roles may also be assigned to all CAS users. These roles will be reassigned every time a CAS user logs in. Deselecting an option will not take away that role from any existing user.

The "Users cannot change email address" and "Users cannot change password" options control the user edit form when a user has logged in with CAS.
Redirection

The "Check with the CAS server to see if the user is already logged in?" option implements the Gateway feature of the CAS protocol. When a user visit the site, they will be redirected to the CAS Server with the parameter gateway=true. If the user is already authenticated with the CAS server, they will be automatically logged in. If not, they will be silently redirected back to the Drupal site without being prompted for their password. This check is performed only once for users with cookies enabled. Beware: there might be some negative interactions with this feature and various caching configurations.

The "Require CAS login for" options prompt for CAS authentication for anonymous users when visiting the specified pages. Users already authenticated with Drupal, even if they did not log in with CAS, will not be redirected to the CAS login server.

For example, when configuring CAS with OpenScholar, one could add site/register to the list of pages to require CAS login for.
Login/Logout Destinations

You may configure a special page for users to be redirected to the first time they log in to the CAS site. For example, you may wish to write an introductory page which all users should be required to see once. Or as above you may wish for users to be redirected to site/register in an OpenScholar installation.

A logout destination may be provided if you want your users to be directed to a certain page when they log out of CAS. This is not the CAS server's URL, but rather a page on your site you would like the users to be directed to by the CAS server.

Users are redirected to the "Change password URL," if provided, when they visit user/password ("Request a new password").

Users are redirected to the "Registration URL," if provided, when they visit user/register ("Create a new account").



Note:

In Drupal 6.16 or Version below 6.22. CAS will not work properly. You will get an error in server error log as follows:

PHP Fatal error: Call to undefined function user_login_destination() in ../modules/cas/cas.module

To fix this error:

Add a customized form module in ../sites/all/modules/
For eg: ../sites/all/modules/sample_forms.module

Now paste the below lines in sample_forms.module
#######################################################
function user_login_destination() {
$destination = drupal_get_destination();
return $destination == 'destination=user%2Flogin' ? 'destination=user' : $destination;
}
#######################################################

No comments:

Post a Comment