Before you begin, you will need access to a working CAS server.
- (Recommended) Install the Libraries API. Then download phpCAS and extract so that
sites/all/libraries/CAS/CAS.phpexists. For example:
$ cd sites/all/libraries $ curl http://downloads.jasig.org/cas-clients/php/current.tgz | tar -xz $ mv CAS-* CAS
- If Libraries API is not installed, you may extract phpCAS anywhere and configure the location in the CAS module settings (which you can navigate to by following the "Configuring CAS" instructions below).
Navigate to the CAS module configuration page at
- Admin >> User management >> CAS Settings (Path is /admin/user/cas) (D6)
- Admin >> Configuration >> People >> CAS settings (Path is /admin/config/people/cas) (D7)
If phpCAS has been successfully installed, the version number of phpCAS will be displayed. Otherwise information is provided to help you install and configure phpCAS.
Enter in the CAS server location. For example, if the CAS server is at
- Hostname or IP Address:
For extra security, you may also provide the PEM Certificate of the Certificate Authority which issued the certificate of the CAS server.
These settings control how users may log into CAS using the user login form, either as displayed in a block or at
user/login. Many installations will choose "Add link to login forms" or "Make CAS login default on login forms."
Additionally, the phrases used on the login forms may be customized for your particular brand.
Each CAS user must have a Drupal account before they can log in. By default, the administrator must create the account and then assign the CAS username to the account.
Selecting "Automatically create Drupal accounts" allows the administrator to skip pre-creating Drupal accounts and instead have Drupal accounts automatically be created when a CAS user first logs in.
By default, the Drupal account will be created with a bare minimum of information:
- Name: CAS username
- E-mail: empty
- Roles: authenticated user
- Password: A random string which is not displayed to the user
The e-mail address field may be populated if the e-mail addresses follow a predictable pattern based upon the CAS username — for example
Additional roles may also be assigned to all CAS users. These roles will be reassigned every time a CAS user logs in. Deselecting an option will not take away that role from any existing user.
The "Users cannot change email address" and "Users cannot change password" options control the user edit form when a user has logged in with CAS.
The "Check with the CAS server to see if the user is already logged in?" option implements the Gateway feature of the CAS protocol. When a user visit the site, they will be redirected to the CAS Server with the parameter
gateway=true. If the user is already authenticated with the CAS server, they will be automatically logged in. If not, they will be silently redirected back to the Drupal site without being prompted for their password. This check is performed only once for users with cookies enabled. Beware: there might be some negative interactions with this feature and various caching configurations.
The "Require CAS login for" options prompt for CAS authentication for anonymous users when visiting the specified pages. Users already authenticated with Drupal, even if they did not log in with CAS, will not be redirected to the CAS login server.
For example, when configuring CAS with OpenScholar, one could add
site/register to the list of pages to require CAS login for.
You may configure a special page for users to be redirected to the first time they log in to the CAS site. For example, you may wish to write an introductory page which all users should be required to see once. Or as above you may wish for users to be redirected to
site/register in an OpenScholar installation.
A logout destination may be provided if you want your users to be directed to a certain page when they log out of CAS. This is not the CAS server's URL, but rather a page on your site you would like the users to be directed to by the CAS server.
Users are redirected to the "Change password URL," if provided, when they visit
user/password ("Request a new password").
Users are redirected to the "Registration URL," if provided, when they visit
user/register ("Create a new account").
The CAS project provides two different URLs for the purposes of logging a user in or out.
/cas will redirect the user to the CAS server. If a login exists, the CAS server will send the user back to the Drupal site with a ticket and log the user in. If no login exists, the user is able to login on the CAS server. If the login is accepted, the user will be directed back to the Drupal site and logged in.
/caslogout will log the user out of Drupal and the CAS server.
Miscellaneous & Experimental Settings
If you are having trouble authenticating with the CAS server or are experiencing errant redirection behavior, you may specify a debugging file which logs the interaction between phpCAS and the CAS server. This should be used for development only, and not on a production server.
Can I integrate CAS or LDAP attributes with the CAS module?
Yes, please see the CAS Attributes module.
Can I limit the list of allowed CAS users?
Yes, see restricting allowed users.
Can I restrict access to some content to only users logged in via CAS?
Yes. Create a user role "CAS User" and configure CAS to automatically assign that role to users who log in with CAS. Then get a content access control module to restrict access to that content only to users with the "Cas User" role. [Caveat: if your users can log in via either drupal username/password or CAS, this does not ensure that they were authenticated with CAS.]