forked from apereo/mod_auth_cas
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathREADME
412 lines (336 loc) · 17.6 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
========================================================================
MOD_AUTH_CAS 1.1 README
========================================================================
Apache CAS Authentication Module for the JASIG/Apereo CAS Server.
========================================================================
LICENSE
========================================================================
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
========================================================================
INTRODUCTION
========================================================================
The purpose of this module is to allow an Apache web server to interact
with an authentication server that conforms to the CAS version 1 or 2
protocol or SAML protocol as used by the JASIG/Apereo CAS Server.
At the time of this writing, the CAS protocol specification is here:
http://apereo.github.io/cas/development/protocol/CAS-Protocol-Specification.html
========================================================================
Getting Started
========================================================================
--------------------------------------------------------------------
Linux Distribution Packaging
--------------------------------------------------------------------
mod_auth_cas is available in most major Linux distributions, including
Debian, Ubuntu, Fedora, and is available from EPEL for CentOS and RHEL.
--------------------------------------------------------------------
Building from Source
--------------------------------------------------------------------
The following development libraries and utilities must be installed:
* OpenSSL - 0.9.8c or higher
* Apache Portable Runtime - 1.2.8 or higher
* Apache Portable Runtime Utilities - 1.2.7 or higher
* Apache Web Server - 2.2.3 or higher
* libcurl - 7.18.2 or higher
* libpcre - 7.8 or higher
Download the distribution via git or tarball. Because git does not
preserve timestamps, autoconf may determine it is necessary to bootstrap
the project. If building from source, please start with:
autoreconf -ivf
Build is performed with the standard Autoconf incantation:
./configure && make && sudo make install
Edit your Apache configuration to load the mod_auth_cas module:
LoadModule auth_cas_module /path/to/mod_auth_cas.so
Set a few required parameters in your Apache configuration:
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://login.example.org/cas/login
CASValidateURL https://login.example.org/cas/serviceValidate
Protect a "Location" or "Directory" block in your Apache
configuration:
<Location /secured>
Authtype CAS
Require valid-user
</Location>
If attribute-based authorization is also desired, specify cas-attribute
name:value in your Require rule (please note: both attribute name and value are
case-sensitive):
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://login.example.org/cas/login
CASValidateURL https://login.example.org/cas/samlValidate
CASValidateSAML On
<Location /secured>
Authtype CAS
Require cas-attribute edupersonaffiliation:staff
</Location>
Both the CAS 2.0 and SAML 1.1 protocols support including additional attributes
in the CAS validation response, which may also be added as HTTP headers (see
CASAttributePrefix and CASAttributeDelimiter). This example uses the SAML
protocol and requires that the 'edupersonaffiliation' attribute is set to
'staff'.
========================================================================
NEW FEATURES AND FUNCTIONS IN THIS RELEASE
========================================================================
* Apache 2.4 support
* Improved SAML support
* New expanded Project Team - welcome David Hawes! Many thanks to
David for driving this release.
* Many many bugs fixed since last official release in 2010.
https://github.com/Jasig/mod_auth_cas/issues?q=is%3Aissue+is%3Aclosed
========================================================================
KNOWN ISSUES
========================================================================
* Autoconf does not work well on code freshly checked out of git. Autoconf
artifacts must be rebuilt using `autoreconf -ivf` .
========================================================================
KNOWN LIMITATIONS
========================================================================
These limitations are known to exists in this release of the software:
* CAS Proxy Validation is not implemented in this version.
* CAS Ticket Validation can only be performed over an SSL connection.
The CAS protocol does not explicitly require this, but to not do so
leaves this system open to a man-in-the-middle attack.
* CAS single sign out is currently not functional and disabled. It
is only safe to use in the case where all requests are GET and not
POST (the module inadvertently 'eats' some content of the POST
request while determining if it should process it as a SAML logout
request).
* Reports of slow performance on some systems (particularly
virtual machines) have been reported. This is related to the
entropy that is gathered when creating a session cookie for
the end user. To combat this, there are 3 solutions. The
first is to upgrade the version of the Apache Portable Runtime
on your system to >= 1.3.0. In that version, entropy is gathered
from a nonblocking source. The second method would be to install
a package such as rng-tools and feed random data from /dev/urandom
to /dev/random("-r /dev/urandom"). The last way is to reduce
the size of the CASCookieEntropy setting, reducing the demand on
the pool.
* Win32 support has been dropped (but not removed) due to lack of
development resources, and seemingly minimal community usage.
You are welcome to try it, but YMMV for success.
========================================================================
Configuration
========================================================================
First, you must tell Apache to load the module. In your httpd.conf,
add:
LoadModule auth_cas_module /path/to/mod_auth_cas.so
Then, in the location(s) you want to protect, use the following
directive:
AuthType CAS
Be sure to set authorization parameters in the locations you
are protecting(e.g. 'require valid-user', 'require group foo')
The following are valid configuration options and their default:
Valid Server/VirtualHost Directives
-----------------------------------
Directive: CASVersion
Default: 2
Description: The version of the CAS protocol to adhere to (1 or 2).
This affects whether Gateway mode is available and how
the CAS validation response is parsed.
Directive: CASDebug
Default: Off
Description: Enable or disable debugging mode for troubleshooting. Please
note that LogLevel must be set to Debug for the VirtualHost in
order for these logs to be visible.
Directive: CASValidateDepth
Default: 9
Description: This directive will set the maximum depth for chained certificate
validation. The default (according to OpenSSL documentation) is 9.
Directive: CASCertificatePath
Default: /etc/ssl/certs/
Description: The path to the X509 certificate of the Certificate Authority for
the server in CASLoginURL and CASValidateURL. This may be either
a file, or a directory containing the certificate files linked to
by their hashed names.
Directive: CASLoginURL
Default: NULL
Description: The URL to redirect users to when they attempt to access a CAS
protected resource and do not have an existing session. The
'service', 'renew', and 'gateway' parameters will be appended to
this by mod_auth_cas if necessary. Include 'http[s]://...'
Directive: CASValidateURL
Default: NULL
Description: The URL to use when validating a ticket presented by a client in
the HTTP query string (ticket=...). Must include 'https://' and
must be an HTTPS URL.
Directive: CASProxyValidateURL
Default: NULL
Description: The URL to use when performing a proxy validation. This is currently
an unimplemented feature, so setting this will have no effect.
Directive: CASRootProxiedAs
Default: NULL
Description: This URL represents the URL that end users may see in the event that
access to this Apache server is proxied. This will override the
automatic generation of service URLs and construct them using this
prefix. As an example: If the site being protected is http://example.com/
and the Apache instance of this server is http://internal.example.com:8080,
setting CASRootProxiedAs to http://example.com would result in proper
service parameter generation.
Directive: CASCookiePath
Default: /dev/null
Description: When users first authenticate to mod_auth_cas with a valid service ticket,
a local session is established. Information about this session (the
username, time of creation, last activity time, the resource initially
requested, and whether or not the credentials were renewed) is stored
in this directory. This location should be writable by the web server ONLY.
Any user that can write to this location can falsify authentication information
by creating a fake data file.
NOTE : Some distributions purge the contents of /tmp/ on a reboot, including
user created directories. This will prevent mod_auth_cas from storing
cookie information until that directory is created. To avoid this, try
using a different location, such as /var/cache/apache2/mod_auth_cas/
Directive: CASCookieEntropy
Default: 32
Description: When creating a local session, this many random bytes are used to
create a unique session identifier. Using large values for this
field may result in delays when generating session IDs if not
enough entropy is available.
Directive: CASTimeout
Default: 7200 (2 hours)
Description: This is the hard limit, in seconds, for a mod_auth_cas session (whether
it is idle or not). When a session has reached this age and a new
request is made, the user is redirected to the CASLoginURL to
obtain a new service ticket. When this new ticket is validated,
they will be assigned a new mod_auth_cas session. Set this value to '0'
in order to allow a non-idle session to not expire.
Directive: CASIdleTimeout
Default: 3600 (1 hour)
Description: This is a limit, in seconds, of how long a mod_auth_cas session can be idle.
When a request comes in, if it has been inactive for CASIdleTimeout
seconds, the user is redirected to the CASLoginURL to obtain a new
service ticket.
Directive: CASCacheCleanInterval
Default: 1800 (30 minutes)
Description: This is the minimum amount of time that must pass inbetween cache
cleanings. When a new ticket is issued, or when an expired session
is presented, the time of the last cache clean is compared against
this value. If CASCacheCleanInterval seconds have passed since the
last cleaning, then all files in CASCookiePath are examined and if
they have expired, they are removed. This is merely to prevent the
file system from becoming excessively cluttered.
Directive: CASCookieDomain
Default: NULL
Description: Specify the value for the 'Domain=' parameter in the Set-Cookie header.
Directive: CASCookieHttpOnly
Default: On
Description: Set the optional 'HttpOnly' flag for cookies issues by mod_auth_cas.
Set the HttpOnly flag as described in in RFC 6265. This flag prevents the
mod_auth_cas cookies from being accessed by client side Javascript.
Directive: CASAuthoritative
Default: Off
Description: This directive determines whether an optional authorization directive
(see 'Require cas-attribute') is authoritative and thus binding or
if other authorization modules will also be applied.
'On' means authoritative, 'Off' means not authoritative.
NOTE: This directive is unavailable with Apache 2.4. See the RequireAny,
RequireNone, and RequireAll directives instead.
Directive: CASValidateSAML
Default: Off
Description: If enabled, the response from the CAS Server will be parsed for SAML
attributes which will be associated with the user. Requires setting
CASValidateURL appropriately; typical URLs are of the form
https://login.example.org/cas/samlValidate.
Valid Directory/.htaccess Directives
------------------------------------
Directive: CASScope
Default: Off
Description: Use this directive with an argument as a relative path (e.g. /application/) to specify
the scope for which a mod_auth_cas cookie is valid. This is beneficial to prevent
additional round trips to the CAS server. Assume someone authenticates to /application/subdir/
and then browses to /application/ - without CASScope set, each request would result in
a round trip to the CAS server and a new cookie being created (one for each directory).
CASScope would set one cookie, which will be presented on access to both directories.
Note that if someone accessed /application/ and then /application/subdir/ this would not
be an issue, but that order of access can not be guaranteed. To disable this feature,
the special argument 'Off' will return to per-directory cookie paths for this directory
and subdirectories.
Directive: CASRenew
Default: Off
Description: Use this directive with an argument as a relative path (e.g. /application/secure/
for http://www.example.com/application/secure/*) to force a user to renew their
credentials when accessing that directory. The argument MUST be a relative path.
To disable this requirement, the special argument 'Off' will disable this requirement
for this directory and subdirectories.
Directive: CASGateway
Default: Off
Description: Use this directive with an argument as a relative path (e.g. /application/insecure/
for http://www.example.com/application/insecure/*) to allow anonymous access to that directory.
The argument MUST be a relative path. To disable this feature, the special argument 'Off'
will reinstate the requirement for authentication.
Directive: CASCookie
Default: MOD_AUTH_CAS
Description: The name of the cookie used to store the session ID over HTTP connections.
It should be changed if it will interfere with the application protected
by mod_auth_cas.
Directive: CASSecureCookie
Default: MOD_AUTH_CAS_S
Description: The name of the cookie used to store the session ID over HTTPS connections.
It should be changed if it will interfere with the application protected
by mod_auth_cas.
Directive: CASGatewayCookie
Default: MOD_AUTH_CAS_G
Description: The name of the cookie used to store whether or not the user has attempted
to access this resource before. It should be changed if it will interfere
with the application protected by mod_auth_cas.
Directive: CASAuthNHeader
Default: None
Description: If enabled, this will store the user returned by CAS in the specified
HTTP header accessible to your web applications, and any additional
attributes received in headers named according to CASAttributePrefix.
This is in addition to the REMOTE_USER environment variable, which is
always set to the CAS user.
Directive: CASSSOEnabled
Default: Off
Description: If enabled, this activates support for Single Sign Out within the CAS
protocol. Please note that this feature is currently experimental and
may mangle POST data.
Directive: CASAttributePrefix
Default: CAS_
Description: The prefix to use when adding CAS or SAML attributes to the HTTP headers,
which will be named <CASAttributePrefix><attr_name>. CASAuthNHeader
must be set for this directive to be used.
NOTE: In Apache 2.4 and newer, headers containing "invalid" characters
(including underscores) are silently dropped, so you must set this to
a "valid" name containing only alphabetic characters and hyphens.
Directive: CASAttributeDelimiter
Default: ,
Description: mod_auth_cas will set the value of the attribute header (as described
in CASAttributePrefix) to <attrvalue><CASAttributeDelimiter><attrvalue>
in the case of multiple attribute values.
Directive: CASScrubRequestHeaders
Default: Off
Description: mod_auth_cas will strip request inbound request headers that may have
special meaning, such as those set with the CASAttributePrefix or the
CASAuthNHeader value.
Directive: Require cas-attribute <attribute>:<value>
Default: NULL
Description: Use this directive to authorize based on CAS or SAML attributes
returned via the session validation call. Multiple directives
are OR-ed. If directive is present with no attributes defined,
the request is declined. If value has spaces, wrap the pair in quotes.
See also CASAuthoritative.
Directive: Require cas-attribute <attribute>~<value>
Default: NULL
Description: Use this form of the directive to authorize based on CAS or SAML
attributes returned via the session validation call. Multiple
directives are OR-ed. If directive is present with no attributes
defined, the request is declined. The value is interpreted as a
Perl-Compatible Regular Expression (PCRE) using case-sensitive
matching. See also CASAuthoritative.
========================================================================
CONTACT INFORMATION AND WEBSITE
========================================================================
We welcome your feedback, suggestions and contributions. Contact us
via email if you have questions, feedback, code submissions,
and bug reports. To reach the development team, send an e-mail to:
cas-user [at] apereo [dot] org
Google Group link:
https://groups.google.com/a/apereo.org/forum/#!forum/cas-user
========================================================================