LL::NG can be used as a CAS server. It can allow one to federate LL::NG with:
LL::NG is compatible with the CAS protocol versions 1.0, 2.0 and part of 3.0 (attributes exchange).
In the Manager, go in General Parameters
» Issuer modules
»
CAS
and configure:
On
.^/cas/
)1
to always allow.Tip
For example, to allow only users with a strong authentication level:
$authenticationLevel > 2
Then go in CAS Service
to define:
Tip
If CAS login
is not set, it uses General Parameters
»
Logs
» REMOTE_USER
data, which is set to uid
by
default
If an access control policy other than none
is specified,
applications that want to authenticate users through the CAS protocol
have to be declared before LemonLDAP::NG accepts to issue service
tickets for them.
Go to CAS Applications
and then Add CAS Application
. Give a
technical name (no spaces, no special characters), like “app-example”.
You can then access the configuration of this application.
You may add a list of attributes that will be transmitted in the validate response. Keys are the name of attribute in the CAS response, values are the name of session key.
The attributes defined here will completely replace any attributes you
may have declared in the global CAS Service
configuration. In order
to re-use the global configuration, simply set this section to an empty
list.
Attention
If the access control policy is set to none
, this
rule will be ignored
You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
Changed in version 2.0.10.
Before version 2.0.10, only the hostname was taken into account, which made it impossible to have two different CAS services behind the same hostname.
Since version 2.0.10, the entire service URL is compared to the Service URL defined in LemonLDAP::NG. The longest prefix wins.
For example, if you declared two applications in LemonLDAP::NG with the following service URLs:
An application located at https://cas.example.com/applications/zone1/myapp will match the first CAS service definition
An application located at https://cas.example.com/undeclared/ will also be accepted in order to preserve the previous behavior of matching on hostnames only.
Changed in version 2.0.12: The Strict URL matching option now lets you decide if LemonLDAP::NG should fall back to legacy host-based matching if it cannot find a declared service matching an incoming service URL. In the previous example, https://cas.example.com/undeclared/ will no longer match if strict URL matching is enabled