CAS server (SSO) authentication

Jump to: navigation, search

The Central Authentication Service (CAS) is a single sign-on protocol for the web.

CAS is very beneficial in environments where a number of different web applications share a set of common users. If all the web applications were "CASified" a user would log in once and would then be able to move between the various web applications without ever having to present authentication credentials again. CAS is similar to the Shibboleth authentication mechanism, but it is vastly simpler to set up and lacks a number of broader features like federated trust and authorization infrastructure.

CAS essentially works by configuring a Moodle site to not do authentication itself, but to instead forward unauthenticated users to a CAS server which will then return an authentication token to the Moodle site. Moodle can extract the username from the token and then use its internal authorization mechanisms (roles, enrollments, capabilities) and user attributes (name, picture, etc.). The advantage is that the Moodle site never has to handle passwords and that users, once they've authenticated the first time, can move seamlessly to another web application without having to present their credentials again.

Enabling CAS server authentication

An administrator can enable CAS server authentication as follows:

  1. Go to Site administration > Plugins > Authentication > Manage authentication and click the eye icon opposite CAS server (SSO). When enabled, it will no longer be greyed out.
  2. Click the settings link, configure as required, then click the 'Save changes' button.

One caveat for those converting from LDAP or other authentication mechanisms:

For any user that you wish to authenticate with CAS but which already has been using Moodle, and thus has an entry in the Moodle database, you will need to change the value of the "auth" field for the user in the mdl_user table. So, if they used LDAP before, but now you wish for them to use CAS and their username is "foobar" you'll need to edit the database with some SQL something like:
UPDATE mdl_user SET auth='cas' where auth='ldap' and username='foobar';
Without this change the user will constantly be presented with a failed login message, but otherwise no clue as to why login failed even though their credentials were accepted by the CAS server.

Enabling CAS accounts syncronisation

The CAS users sync job (\auth_cas\task\sync_task) scheduled task (new in Moodle 3.0; previously there was a CLI script) is responsible for creating and updating user information, and suspending and deleting CAS accounts.

After enabling CAS server authentication, an administrator need to enable and configure the CAS users sync job as follows:

  1. Go to Site administration > Server > Scheduled tasks and click the gear icon opposite CAS users sync job.
  2. Select the desired frequency of running and enable the task by un-ticking the disabled checkbox.
warning.png Warning: It is important to make sure that all CAS settings are working properly before enabling the CAS users sync job (as well as backing up your database and moodledata folders), since incorrect CAS configuration can result in users being wrongly deleted!

Any questions?

Please post in the Authentication forum on