CAS server (SSO): Difference between revisions
Helen Foster (talk | contribs) (location edit) |
No edit summary |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
Location: Settings link in '' | {{Authentication}} | ||
Location: Settings link in ''Settings > Site administration > Plugins > Authentication > Manage authentication'' | |||
== Overview == | == Overview == | ||
Line 14: | Line 15: | ||
* For any user that you wish to authenticate with CAS but which already has been using Moodle, and thus has an entry in the Moodle database, you will need to change the value of the "auth" field for the user in the mdl_user table. So, if they used LDAP before, but now you wish for them to use CAS and their username is "foobar" you'll need to edit the database with some SQL something like: <code>UPDATE mdl_user SET auth='cas' where auth='ldap' and username='foobar';</code> Without this change the user will constantly be presented with a failed login message, but otherwise no clue as to why login failed even though their credentials were accepted by the CAS server. | * For any user that you wish to authenticate with CAS but which already has been using Moodle, and thus has an entry in the Moodle database, you will need to change the value of the "auth" field for the user in the mdl_user table. So, if they used LDAP before, but now you wish for them to use CAS and their username is "foobar" you'll need to edit the database with some SQL something like: <code>UPDATE mdl_user SET auth='cas' where auth='ldap' and username='foobar';</code> Without this change the user will constantly be presented with a failed login message, but otherwise no clue as to why login failed even though their credentials were accepted by the CAS server. | ||
[[fr:Utiliser un serveur CAS (SSO)]] | [[fr:Utiliser un serveur CAS (SSO)]] | ||
[[de: | [[de:CAS-Server]] |
Latest revision as of 11:05, 15 March 2012
Location: Settings link in Settings > Site administration > Plugins > Authentication > Manage authentication
Overview
CAS is "Single Sign-on for the Web" and is developed by JA-SIG in an open-source, collaborative manner. CAS is very beneficial in environments where a number of different web applications share a set of common users. If all the web applications were "CASified" a user would log in once and would then be able to move between the various web applications without ever having to present authentication credentials again. CAS is similar to the Shibboleth authentication mechanism, but it is vastly simpler to set up and lacks a number of broader features like federated trust and authorization infrastructure.
The details for how CAS works are well documented, but CAS essentially works by configuring a web application (moodle.example.com) to not do authentication itself, but to instead forward unauthenticated users to a "CAS Server" (cas.example.com) which will then return an authentication token to the original web application (moodle.example.com). Moodle can extract the username from the token and then use its internal authorization mechanisms (roles, enrollments, capabilities) and user attributes (name, picture, etc.). The advantage is that the moodle.example.com service never has to handle passwords and that users, once they've authenticated the first time, can move seamlessly to another web application without having to present their credentials again.
Configuration
Assuming that you already have a working CAS server, configuration is fairly straightforward through the web interface.
One caveat for those converting from LDAP or other authentication mechanisms:
- For any user that you wish to authenticate with CAS but which already has been using Moodle, and thus has an entry in the Moodle database, you will need to change the value of the "auth" field for the user in the mdl_user table. So, if they used LDAP before, but now you wish for them to use CAS and their username is "foobar" you'll need to edit the database with some SQL something like:
UPDATE mdl_user SET auth='cas' where auth='ldap' and username='foobar';
Without this change the user will constantly be presented with a failed login message, but otherwise no clue as to why login failed even though their credentials were accepted by the CAS server.