Installation

CAS Authentication

CAS Authentication

by Tom Merrick -
Number of replies: 6

I am trying to authenticate against a JaSIG CAS 3.4.6 Central Authentication system using WeBWorK 2.5.1.1 dev and the authen_CAS module.

I have configured it as:

casURL => 'https://login.tamucc.edu/cas',
loginPath => 'https://login.tamucc.edu/cas/login',
logoutPath => 'https://login.tamucc.edu/cas/logout',
serviceValidatePath => 'https://login.tamucc.edu:443',

for some reason I have to do the other paths or the server defaults to the webwork server, not the casURL.

When I run it and log into the CAS system I get: "admin uses an external authentication system. You've authenticated through that system, but aren't allowed to log in to this course." error message.

The debug log is attached for it and seems to indicate an error in authentication. Also there is never any mention of the username being returned from the CAS server.

In reply to Tom Merrick

Re: CAS Authentication

by Tom Merrick -
I figured it out. The authen_CAS.conf.dist file is bad. The example for the casUrl is given as casURL. Other than this typo it works great.
In reply to Tom Merrick

Re: CAS Authentication

by Jason Aubrey -
Thanks for the update Tom. I'll fix that in github. Also, Paul Vojta recently updated CAS.pm in the webwork2-dev repo. (The typo was my fault - Paul's new version makes sure WWfeedback messages work properly.)

Jason
In reply to Tom Merrick

Re: CAS Authentication

by Jack Dockery -
We are trying to use CAS for our students to login to their courses but the IT guys here and I can't figure out how to have the admin and teachers login directly to webwork. Is this possible? As it is now admin can't get to any course at all since each link redirects to the CAS login. Any help would be great!
In reply to Jack Dockery

Re: CAS Authentication

by Paul Vojta -
I surmise that only students have CAS accounts, and that admins and teachers do not. At Berkeley everyone affiliated with the university has CAS accounts, and CAS is used for everything (e.g., email). That is the situation in which authen_CAS has been developed. The other possibility basically never occurred to me -- sorry!
When you log in via CAS, you're communicating directly with the CAS server, and (IIRC) it doesn't send you back to webwork if you fail.
It may be possible to add a line "return 1 if $r->param('skipCAS');" to the beginning of get_credentials() in CAS.pm and then have admins and teachers access the course via a URL http[s]://webwork.example.edu/webwork2/coursename?skipCAS=1 but I don't know whether this will work, and won't have time to check it for at least a week.
But would it be better to have a more general such facility in Authen.pm?
In reply to Paul Vojta

Re: CAS Authentication

by Michael Gage -
Thanks Paul. I think there are some facilities for this in Authen.pm already since one can use LTI to enroll students from Canvas or from Moodle and still let instructors login directly to the webwork interface.

Now that we have three or four parallel authentication mechanisms we should revisit the "fail over" code that allows them to work together and put something uniform in place that works with our current collection of use cases.

A long term fix can certainly wait a week or two so there is no immediate rush.