idpcas.html 9.59 KB
Newer Older
Clément OUDOT's avatar
Clément OUDOT committed
1 2 3 4 5 6
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:idpcas</title>
<meta name="generator" content="DokuWiki"/>
Clément OUDOT's avatar
Clément OUDOT committed
7
<meta name="robots" content="index,follow"/>
Clément OUDOT's avatar
Clément OUDOT committed
8 9 10 11 12
<meta name="keywords" content="documentation,2.0,idpcas"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="idpcas.html"/>
<link rel="contents" href="idpcas.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
Xavier Guimard's avatar
Xavier Guimard committed
13 14 15 16 17 18 19 20 21
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
Clément OUDOT's avatar
Clément OUDOT committed
22 23 24
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:idpcas","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
25 26 27 28 29 30 31 32 33 34 35 36 37 38
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
Xavier Guimard's avatar
Xavier Guimard committed
39
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
40
//else -->
Xavier Guimard's avatar
Xavier Guimard committed
41
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
42
<!-- //endif -->
Clément OUDOT's avatar
Clément OUDOT committed
43 44 45
</head>
<body>
<div class="dokuwiki export container">
46 47 48 49
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
Clément OUDOT's avatar
Clément OUDOT committed
50

51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#enabling_cas">Enabling CAS</a></div></li>
<li class="level2"><div class="li"><a href="#configuring_the_cas_service">Configuring the CAS Service</a></div></li>
<li class="level2"><div class="li"><a href="#configuring_cas_applications">Configuring CAS Applications</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#options">Options</a></div></li>
<li class="level3"><div class="li"><a href="#exported_attributes">Exported Attributes</a></div></li>
</ul></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->

<p>
AS server
</p>
Clément OUDOT's avatar
Clément OUDOT committed
71 72 73
<div class="level1">

</div>
74 75

<h2 class="sectionedit1" id="presentation">Presentation</h2>
Clément OUDOT's avatar
Clément OUDOT committed
76 77 78
<div class="level2">

<p>
Xavier Guimard's avatar
Xavier Guimard committed
79
<abbr title="LemonLDAP::NG">LL::NG</abbr> can be used as a <abbr title="Central Authentication Service">CAS</abbr> server. It can allow one to federate <abbr title="LemonLDAP::NG">LL::NG</abbr> with:
Clément OUDOT's avatar
Clément OUDOT committed
80 81
</p>
<ul>
82
<li class="level1"><div class="li"> Another <a href="authcas.html" class="wikilink1" title="documentation:2.1:authcas">CAS authentication</a> <abbr title="LemonLDAP::NG">LL::NG</abbr> provider</div>
Clément OUDOT's avatar
Clément OUDOT committed
83 84 85 86 87 88 89 90 91 92
</li>
<li class="level1"><div class="li"> Any <abbr title="Central Authentication Service">CAS</abbr> consumer</div>
</li>
</ul>

<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> is compatible with the <a href="https://jasig.github.io/cas/development/protocol/CAS-Protocol-Specification.html" class="urlextern" title="https://jasig.github.io/cas/development/protocol/CAS-Protocol-Specification.html"  rel="nofollow">CAS protocol</a> versions 1.0, 2.0 and part of 3.0 (attributes exchange).
</p>

</div>
93 94
<!-- EDIT1 SECTION "Presentation" [19-389] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
Clément OUDOT's avatar
Clément OUDOT committed
95 96
<div class="level2">

97 98 99 100 101
</div>
<!-- EDIT2 SECTION "Configuration" [390-416] -->
<h3 class="sectionedit3" id="enabling_cas">Enabling CAS</h3>
<div class="level3">

Clément OUDOT's avatar
Clément OUDOT committed
102 103 104 105 106 107
<p>
In the Manager, go in <code>General Parameters</code> » <code>Issuer modules</code> » <code><abbr title="Central Authentication Service">CAS</abbr></code> and configure:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong>: set to <code>On</code>.</div>
</li>
108
<li class="level1"><div class="li"> <strong>Path</strong>: it is recommended to keep the default value (<code>^/cas/</code>)</div>
Clément OUDOT's avatar
Clément OUDOT committed
109 110 111 112
</li>
</ul>

</div>
113 114 115 116
<!-- EDIT3 SECTION "Enabling CAS" [417-640] -->
<h3 class="sectionedit4" id="configuring_the_cas_service">Configuring the CAS Service</h3>
<div class="level3">

Clément OUDOT's avatar
Clément OUDOT committed
117
<p>
118
Then go in <code><abbr title="Central Authentication Service">CAS</abbr> Service</code> to define:
Clément OUDOT's avatar
Clément OUDOT committed
119 120
</p>
<ul>
121
<li class="level1"><div class="li"> <strong><abbr title="Central Authentication Service">CAS</abbr> login</strong>: the session key transmitted to <abbr title="Central Authentication Service">CAS</abbr> client as the main identifier (<abbr title="Central Authentication Service">CAS</abbr> Principal)</div>
Clément OUDOT's avatar
Clément OUDOT committed
122
</li>
123
<li class="level1"><div class="li"> <strong><abbr title="Central Authentication Service">CAS</abbr> attributes</strong>: list of attributes that will be transmitted by default in the validate response. Keys are the name of attribute in the <abbr title="Central Authentication Service">CAS</abbr> response, values are the name of session key. </div>
Clément OUDOT's avatar
Clément OUDOT committed
124 125 126
</li>
<li class="level1"><div class="li"> <strong>Access control policy</strong>: define if access control should be done on <abbr title="Central Authentication Service">CAS</abbr> service. Three options:</div>
<ul>
127
<li class="level2"><div class="li"> <strong>none</strong>: no access control. The <abbr title="Central Authentication Service">CAS</abbr> service will accept non-declared <abbr title="Central Authentication Service">CAS</abbr> applications and ignore access control rules. This is the default.</div>
Clément OUDOT's avatar
Clément OUDOT committed
128 129 130 131 132 133 134
</li>
<li class="level2"><div class="li"> <strong>error</strong>: if user has no access, an error is shown on the portal, the user is not redirected to <abbr title="Central Authentication Service">CAS</abbr> service</div>
</li>
<li class="level2"><div class="li"> <strong>faketicket</strong>: if the user has no access, a fake ticket is built, and the user is redirected to <abbr title="Central Authentication Service">CAS</abbr> service. Then <abbr title="Central Authentication Service">CAS</abbr> service has to show a correct error when service ticket validation will fail.</div>
</li>
</ul>
</li>
135
<li class="level1"><div class="li"> <strong><abbr title="Central Authentication Service">CAS</abbr> session module name and options</strong>: choose a specific module if you do not want to mix <abbr title="Central Authentication Service">CAS</abbr> sessions and normal sessions (see <a href="samlservice.html#saml_sessions_module_name_and_options" class="wikilink1" title="documentation:2.1:samlservice">why</a>).</div>
Clément OUDOT's avatar
Clément OUDOT committed
136 137 138 139 140
</li>
</ul>
<div class="notetip">If <code><abbr title="Central Authentication Service">CAS</abbr> login</code> is not set, it uses <code>General Parameters</code> » <code>Logs</code> » <code>REMOTE_USER</code> data, which is set to <code>uid</code> by default
</div>
</div>
141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183
<!-- EDIT4 SECTION "Configuring the CAS Service" [641-1923] -->
<h3 class="sectionedit5" id="configuring_cas_applications">Configuring CAS Applications</h3>
<div class="level3">

<p>
If an access control policy other than <code>none</code> is specified, applications that want to authenticate users through the <abbr title="Central Authentication Service">CAS</abbr> protocol have to be declared before LemonLDAP::NG accepts to issue service tickets for them. 
</p>

<p>
Go to <code><abbr title="Central Authentication Service">CAS</abbr> Applications</code> and then <code>Add <abbr title="Central Authentication Service">CAS</abbr> Application</code>. Give a technical name (no spaces, no special characters), like “app-example”.
</p>

<p>
You can then access the configuration of this application. 
</p>

</div>

<h4 id="options">Options</h4>
<div class="level4">
<ul>
<li class="level1"><div class="li"> <strong>Service <abbr title="Uniform Resource Locator">URL</abbr></strong> : the service (user-facing) <abbr title="Uniform Resource Locator">URL</abbr> of the <abbr title="Central Authentication Service">CAS</abbr>-enabled application.</div>
</li>
<li class="level1"><div class="li"> <strong>Rule</strong> : The access control rule to enforce on this application. If left blank, access will be allowed for everyone.</div>
</li>
</ul>
<div class="noteimportant">If the access control policy is set to <code>none</code>, this rule will be ignored
</div>
</div>

<h4 id="exported_attributes">Exported Attributes</h4>
<div class="level4">

<p>
You may add a list of attributes that will be transmitted in the validate response. Keys are the name of attribute in the <abbr title="Central Authentication Service">CAS</abbr> response, values are the name of session key.
</p>

<p>
The attributes defined here will completely replace any attributes you may have declared in the global <code><abbr title="Central Authentication Service">CAS</abbr> Service</code> configuration. In order to re-use the global configuration, simply set this section to an empty list.
</p>

</div>
<!-- EDIT5 SECTION "Configuring CAS Applications" [1924-] --></div>
Clément OUDOT's avatar
Clément OUDOT committed
184 185
</body>
</html>