CAS server (SSO) authentication

From MoodleDocs
Revision as of 17:59, 26 October 2010 by Helen Foster (talk | contribs) (location edit)

Location: Settings link in Administration > Plugins > Authentication > Manage authentication in 2.0 onwards or Administration > Users > Authentication > Manage authentication in 1.9

Overview

CAS is "Single Sign-on for the Web" and is developed by JA-SIG in an open-source, collaborative manner. CAS is very beneficial in environments where a number of different web applications share a set of common users. If all the web applications were "CASified" a user would log in once and would then be able to move between the various web applications without ever having to present authentication credentials again. CAS is similar to the Shibboleth authentication mechanism, but it is vastly simpler to set up and lacks a number of broader features like federated trust and authorization infrastructure.

The details for how CAS works are well documented, but CAS essentially works by configuring a web application (moodle.example.com) to not do authentication itself, but to instead forward unauthenticated users to a "CAS Server" (cas.example.com) which will then return an authentication token to the original web application (moodle.example.com). Moodle can extract the username from the token and then use its internal authorization mechanisms (roles, enrollments, capabilities) and user attributes (name, picture, etc.). The advantage is that the moodle.example.com service never has to handle passwords and that users, once they've authenticated the first time, can move seamlessly to another web application without having to present their credentials again.

Configuration

Assuming that you already have a working CAS server, configuration is fairly straightforward through the web interface.

One caveat for those converting from LDAP or other authentication mechanisms:

  • For any user that you wish to authenticate with CAS but which already has been using Moodle, and thus has an entry in the Moodle database, you will need to change the value of the "auth" field for the user in the mdl_user table. So, if they used LDAP before, but now you wish for them to use CAS and their username is "foobar" you'll need to edit the database with some SQL something like: UPDATE mdl_user SET auth='cas' where auth='ldap' and username='foobar'; Without this change the user will constantly be presented with a failed login message, but otherwise no clue as to why login failed even though their credentials were accepted by the CAS server.