First line of https://drupal.org/node/1084302 reads "Before you begin, you will need access to a working CAS server". I don't.

I'm replacing sso with CAS on a D6 multisite and all my dev work is on ubuntu on localhost. Having googled, I've got as far as a working Tomcat 7.0.53 installation under localhost that shows the Tomcat admin page under https://localhost:8443 and I have the cas.war installed (3.5.2.1) and visible under the Manager App.

I have created a domain login.blah.com and created an SSL certificate for that.

What I can't work out is how to get this all working under login.blah.com, so I can configure the Drupal CAS module for authentication. I assume there's some virtual host configuration required.

There's lots of info out there, but each page suggests something different, is for different versions of Tomcat/CAS, is dismissed within contributed comments or is just plain confusing.

If anybody has any pointers or a link to a walkthrough, I'd be very happy.

Comments

dunx’s picture

dunx CreditAttribution: dunx commented

Or am I making this all too complicated with Tomcat and java? Is the way to go to simply create a new and separate Drupal installation and just enable the provided cas_server module?

It just seems a bit odd to have a CMS doing nothing but the job of CAS, which is why I started looking at a more standard CAS server configuration.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
CreditAttribution: bkosborne commented

First line of https://drupal.org/node/1084302 reads "Before you begin, you will need access to a working CAS server". I don't.

This is misleading, and I will work on updating that documentation. When you enable the CAS Server module, the Drupal site becomes your CAS server, you don't need an additional one. You mention it seems silly to use a Drupal install just to become a CAS server. Maybe, but some users may want the added functionality and user management that Drupal can bring along.

If you're looking for a solution that doesn't require you install Java/Tomcat or a Drupal site just for the server, you can try looking at RubyCAS, which may be easier to set up. There's a detailed installation guide.

metzlerd’s picture

metzlerd CreditAttribution: metzlerd commented

Generally the way I use it, is to think about the "primary drupal site" and make that the cas server one, and then use the cas client to attach other drupal sites to the same authentication mechanism. The primary reason to do a tomcat cas server is to integrate with other authentication sources such as radius, ldap or active directory. I'm not familiar with the RubyCAS implementation, so I don't know whether it provides an account source rather than using another.

The primary question here though is how you want to provision accounts and do you have an existing account source (ldap, active directory, kerberos) that you want to leverage or are you looking just to connect two existing drupal sites together using CAS. If it's the latter, pick one to be the server (always HTTPS and perhaps where you want private content to be stored) and another to be the client.

Anyway, understanding why you want to use cas is probably the best way for us to give better help.

dunx’s picture

dunx CreditAttribution: dunx commented

Thanks for the replies.

I'm just trying to get a group of my own domains sharing sign on. No external authentication... so I think I tried to over-complicate things by even looking at Tomcat!

So, I have the following domains as part of a D6 multisite installation:
www.site.com
www.site1.com
www.site2.com
www.site3.com
https://shop.site.com

The "site" domain is really just a list of links to the other sites. It doesn't have any of its own content. It's the master site under the multisite configuration, so can have different modules enabled than the other domains. Users don't (need to) log in here.

All "siteN" domains are using domain_access to have their own window on shared content. They all have a shop catalogue, but all checkout is handled through "shop.site.com", which is my main driver for needing single sign on as users need to stay logged in between www.siteN.com and shop.site.com.

So three options:

  1. Can I enable cas server on https://shop.site.com? Having sso work for the domain under which the cas server is enabled doesn't seem to be possible according to the documentation.
  2. Could I enable the cas server on https://www.site.com instead? Users don't need to log in to that site and it has no real content.
  3. Do I need to create a distinct D6 https://login.site.com domain, which is not part of my multisite configuration, to work solely as the cas server and nothing else?
metzlerd’s picture

metzlerd CreditAttribution: metzlerd commented

There is no technical need to create a separate site to only have logins. The only requirement for a cas server is that it is accessible over https. It sounds like in your environment your two choices are https://shop.site.com or https://www.site.com. Either will technically work, but if you have users that have existing accounts at either place already, I'd choose where the accounts are, because otherwise you'll need to have them reset their passwords. The "request accounts" link should point to whichever site has the cas server.

The basic idea is to put the cas server on the site that makes the most sense to house the login/password/profile information and then set up cas clients on other sites that point to the cas server site. Not sure if that helps... but feel free to to ask pointed questions.

dunx’s picture

dunx CreditAttribution: dunx commented

All my sites share the same users table on my "base" database, so there is a single store of user credentials used across all sites.

Enabling cas_server on www.site.com and creating a SSL certificate for that makes sense as that is the only one of the multisites that can have different modules enabled for it. But is that single store of user credentials across *all* domains an issue for how cas works?

metzlerd’s picture

metzlerd CreditAttribution: metzlerd commented

It is a problem insomuch as you will need somehow to get the cas username associated with those accounts in all the sites that are not cas servers. That table cannot exist on the cas server site but only on the cas client sites. The cas clients need this in order to map the right "remote login" to the right drupal uid. Cas is designed so that you can share login credentials even across different sites.

The problem here is that the cas username stored in the cas_user table needs to be shared. It might be possible to configure this to be shared across all sites except the www.site.com, but we don't really have a way to automatically create the mapping for new users that arrive on www.site.com on all of the other sites. This may require some custom code to achieve.

dunx’s picture

dunx CreditAttribution: dunx commented

I have pre-populated the cas_user table using the SQL posted on Drupal somewhere, so all current users are included. I'm not adverse to a spot of custom coding if needed further down the line.

https://www.site.com/cas/login works fine and when I log in via that page manually I see "You have successfully logged into CAS".

The users and cas_server_tickets tables are in the "base" database.
The cas_user and cas_login_data are in the "content" database.

Both databases are shared, but presumably clients will never try to access cas_server_tickets as the cas_server module is not enabled on those domains and the server will never try to access cas_user and cas_login_data as the cas module is not enabled on that domain.

The cas admin page says I have phpCAS version 1.3.2 installed successfully.The clients all share the cas module and that's configured with Version="2.0 or higher" (assume that's referring to the version of the cas_server module and I'm using 6.x-3.3), Hostname="www.site.com", Port="443" (same as my virtual host), URI="/cas" and PEM is empty.

When I log in to www.site1.com, that works. But when I visit www.site2.com I'm not logged in. There's no rows in either base.cas_server_tickets or content.cas_login_data

Where do I go now? Any obvious errors above and if not, where do I start debugging?

I also have logintoboggan installed.

[Off to Austria for a few days, so will pick this up on my return.]

metzlerd’s picture

metzlerd CreditAttribution: metzlerd commented

First, I do not think you should be sharing cas_login_data as logging into one site should NOT log you into the other. You should make sure that on site2 you have the check for exisiting login option set in cas. Also, turn on debugging on site2 by configuring a log file for additional debugging info.

dunx’s picture

dunx CreditAttribution: dunx commented
Status: Active » Closed (works as designed)

I'll close this as I think I've worked through a (partial) solution and always good to tidy up after yourself.