University of Saskatchewan

Welcome to the U of S

Using CAS

There are several ways that campus web developers can use CAS.

The Apache CAS Authentication module is available on www, homepage and several other servers. To use CAS authentication on these servers, put the following lines in a .htaccess file on your website:

    AuthType CAS
    AuthName "Network Services"
    require valid-user

To use mod_auth_cas on your own server, you'll need to compile and install it yourself. The mod_auth_cas source code is available from http://www.ja-sig.org/wiki/display/CASC/mod_auth_cas and works with Apache 2.x. You will need to copy the CAS_Cert_Chain.pem file to your server, create a directory for mod_auth_cas's cookie cache that is writable by the web server, and edit your apache configuration file. Here is an example:

  LoadModule auth_cas_module modules/mod_auth_cas.so
  CASLoginURL https://cas.usask.ca/cas/login
  CASValidateURL https://cas.usask.ca/cas/serviceValidate
  CASValidateServer On
  CASAllowWildcardCert On
  CASCertificatePath /etc/certs/CAS_Cert_Chain.pem
  CASCookiePath /var/run/mod_auth_cas/
  CASTimeout 3600
  CASIdleTimeout 1800
  <Location /secure>
    AuthType CAS
    AuthName "Network Services"
    require user abc123
  <Location>

Apache mod_auth_cas works well for static web sites and applications that rely on the web server to handle authentication. We've made some local changes to mod_auth_cas that are not in the official version yet. Please contact us to get a copy.

Applications that do their own authentication need to be modified to work with CAS. ITS has some experience using PerlCAS and phpCAS, and the latter has been installed on www.usask.ca and on homepage. Here is a simple example of a script using phpCAS and here is the script.

Many other CAS clients are available as well, see http://www.ja-sig.org/products/cas/client/) for details. You will have to choose the one that is most suited to your application.

CAS Logout

Generally speaking, each CAS application keeps track of sessions separately, which raises the question, when users log out of your application should you also log them out of CAS? If you do log them out of CAS, do you leave them on the CAS logout screen or send them to another page?

With CAS, you can do either, by adding either a 'url=' or 'service=' parameter to the CAS logout call. For example:

  https://cas.usask.ca/cas/logout?url=http://www.usask.ca
  https://cas.usask.ca/cas/logout?service=http://www.usask.ca

If you use 'url=' the link is displayed on the CAS logout page. If you use 'service=' the user is redirected instead.

Earl