CAS settings | Executive Education

CAS server

Enter the details of your CAS server.

CAS Protocol version

1.0

2.0

3.0 or higher

The CAS protocol version your CAS server supports. If unsure, ask your CAS server administrator.

HTTP Protocol

HTTP (non-secure)

HTTPS (secure)

HTTP protocol type of the CAS server. WARNING: Do not use HTTP on production environments!

Hostname

Hostname or IP Address of the CAS server.

Port

443 is the standard SSL port. 8443 is the standard non-root port for Tomcat.

Path

If the CAS server paths (like /login) are not at the root of the host, specify the base path (e.g., /cas).

SSL Verification

Verify using your web server's default certificate authority (CA) chain.

Do not verify. (Note: this should NEVER be used in production.)

Verify using a specific CA certificate. Use the field below to provide path (recommended).

Choose an appropriate option for verifying the SSL/TLS certificate of your CAS server.

Custom Certificate Authority PEM Certificate

The PEM certificate of the Certificate Authority that issued the certificate on the CAS server, used only with the custom certificate option above.

General Settings

Place a link to log in via CAS on the standard /user/login form

User Account Handling

Restrict password management (recommended)

Prevents CAS users from changing their Drupal password by removing the password fields on the user profile form and disabling the "forgot password" functionality. Admins will still be able to change Drupal passwords for CAS users.

Restrict email management (recommended)

Prevents CAS users from changing their email by disabling the email field on the user profile form. Admins will still be able to change email addresses for CAS users. Note that Drupal requires a user enter their current password before changing their email, which your users may not know. Enable the restricted password management feature above to remove this password requirement.

Automatically register users

Enable to automatically create local Drupal accounts for first-time CAS logins. If disabled, users must be pre-registered before being allowed to log in.

Follow site's account registration policy

With auto-register on, will follow the user account registration policy. For instance, if the account settings "Visitors, but administrator approval is required" is selected under "Who can register accounts?", the auto-created account will wait for administrator approval.

If your CAS server supports attributes, you can install the CAS Attributes module to map them to user fields and roles during login and auto-registration.

Email address assignment

Use the CAS username combined with a custom domain name you specify.

Use a CAS attribute that contains the user's complete email address.

Drupal requires every user to have an email address. Select how you'd like to assign an email to automatically registered users.

Email hostname username@

The email domain name used to combine with the username to form the user's email address.

Email attribute

The CAS attribute name (case sensitive) that contains the user's email address. If unsure, check with your CAS server administrator to see a list of attributes that are returned during login.

Automatically assign roles on user registration

To provide role mappings based on CAS attributes, install and configure the optional CAS Attributes module.

Roles

The selected roles will be automatically assigned to each CAS user on login. Use this to automatically give CAS users additional privileges or to identify CAS users to other modules.

Error Handling

If CAS login fails for any reason (e.g. validation failure or some other module prevents login), redirect the user to this page. If empty, users will be redirected to the homepage or to the original page they were on when initiating a login sequence. If your site is configured to automatically log users in via CAS when accessing a restricted page, you should set this to a page that does not require authentication to view. Otherwise you will create a redirect loop for users that that experience login failures as CAS continuously attempts to log them in as it returns them to the restricted page.

Error messages

Replacement tokens can be used to customize the messages.

Ticket validation failure

During the CAS authentication process, the CAS server provides Drupal with a "ticket" which is then exchanged for user details (e.g. username and other attributes). This message will be displayed if there is a problem during this process.

Local account does not exist

Displayed when a new user attempts to login via CAS and automatic registration is disabled.

Denied registration

Displayed when some other module (like CAS Attributes) denies automatic registration of a new user.

Local account is blocked

Displayed when the Drupal user account belonging to the user logging in via CAS is blocked.

Local account username already exists

Displayed when automatic registraton of new user fails because an existing Drupal user is using the same username.

Restrict password management error message

Displayed when restrict password management is on and a CAS user tries to reset their Drupal password.

Browse available tokens.

Gateway Feature (Auto Login)

Gateway login enabled

This implements the Gateway feature of the CAS Protocol. When enabled, Drupal will check if a visitor has an active CAS session, and if so, will be automatically log them into Drupal. This is done by quickly redirecting them to the CAS server to perform the active session check, and then redirecting them back to page they initially requested.

If enabled, all pages on your site will trigger this feature by default unless you specify specific pages below.

WARNING: This feature may disable page caching on pages it is active on. See "Method" below.

Recheck time

After initially checking if the visitor has an active CAS session, this is the amount of time to wait before checking again. Every check redirects the user to the CAS server and then back to the page they were on.

Pages

Specify pages by using their paths. Enter one path per line. The '*' character is a wildcard. An example path is /user/* for every user page. <front> is the front page.

Negate the condition

Method

Server-side redirect. Faster, but disables page caching on configured paths.

Client-side redirect (using JavaScript). Slower, but works with all page caching. Not compatible with "Every page request" option above.

Configure how the redirect to the CAS server is performed.

Forced login

Log out behavior

Drupal logout triggers CAS logout

When enabled, users that log out of your Drupal site will then be logged out of your CAS server as well. This is done by redirecting the user to the CAS logout page.

Log out destination

Drupal path or URL. Enter a destination if you want the CAS Server to redirect the user after logging out of CAS.

Enable single log out?

If enabled (and your CAS server supports it), users will be logged out of your Drupal site when they log out of your CAS server. WARNING: THIS WILL BYPASS A SECURITY HARDENING FEATURE ADDED IN DRUPAL 8, causing session IDs to be stored unhashed in the database.

Max lifetime of session mapping data days

This module stores a mapping of Drupal session IDs to CAS server session IDs to support single logout. Normally this data is cleared automatically when a user is logged out, but not always. To make sure this storage doesn't grow out of control, session mapping data older than the specified amout of days is cleared during cron. This should be a length of time slightly longer than the session lifetime of your Drupal site or CAS server.

Proxy

These options relate to the proxy feature of the CAS protocol, including configuring this client as a proxy and configuring this client to accept proxied connections from other clients.

Initialize this client as a proxy?

Initializing this client as a proxy allows it to access CAS-protected resources from other clients that have been configured to accept it as a proxy.

Allow this client to be proxied?

Allow other CAS clients to access this site's resources via the CAS proxy protocol. You will need to configure a list of allowed proxies below.

Allowed proxy chains

A list of proxy chains to allow proxy connections from. Each line is a chain, and each chain is a whitespace delimited list of URLs for an allowed proxy in the chain, listed from most recent (left) to first (right). Each URL in the chain can be either a plain URL or a URL-matching regular expression (delimited only by slashes). Only if the proxy list returned by the CAS Server exactly matches a chain in this list will a proxy connection be allowed.

Advanced

Log debug information?

This is not meant for production sites! Enable this to log debug information about the interactions with the CAS Server to the Drupal log.

Connection timeout seconds

This module makes HTTP requests to your CAS server and, if configured as a proxy, to a proxied service. This value determines the maximum amount of time to wait on those requests before canceling them.