worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
LemonLDAP::NG Web SSO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11155 Commits
107 Branches
123 Tags
109 MiB
 
 
 
 
 
Tag: Branch: Tree: dccb633531
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'dccb633531'
${ noResults }
lemonldap-ng/doc/sources/admin/authcas.rst

88 lines
2.4 KiB
Raw Blame History

CAS
===
============== ===== ========
Authentication Users Password
============== ===== ========
============== ===== ========
Presentation
------------
LL::NG can delegate authentication to a CAS server. This requires `Perl
CAS module <http://sourcesup.cru.fr/projects/perlcas/>`__.
.. tip::
LL::NG can also act as :doc:`CAS server<idpcas>`, that allows
one to interconnect two LL::NG systems.
LL::NG can also request proxy tickets for its protected services. Proxy
tickets will be collected at authentication phase and stored in user
session under the form:
``_casPT<serviceID>`` = **Proxy ticket value**
They can then be forwarded to applications trough
:ref:`HTTP headers<headers>`.
.. tip::
CAS authentication will automatically add a
:doc:`logout forward rule<logoutforward>` on CAS server logout URL in
order to close CAS session on LL::NG logout.
Configuration
-------------
In Manager, go in ``General Parameters`` > ``Authentication modules``
and choose CAS for authentication.
.. tip::
You can then choose any other module for users and
password.
.. attention::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
does). Administrators may have to modify formAction value with wildcard
likes \*.
In Manager, go in :
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
``Content Security Policy`` > ``Form destination``
Then, go in ``CAS parameters``:
- **Authentication level**: authentication level for this module.
Then create the list of CAS servers in the manager. For each, set:
- **Server URL** *(required)*: CAS server URL (must use https://)
- **Renew authentication** *(default: disabled)*: force authentication
renewal on CAS server
- **Gateways authentication** *(default: disabled)*: force transparent
authentication on CAS server
- **Display Name**: Name to display. Required if you have more than 1
CAS server declared
- **Icon**: Path to CAS Server icon. Used only if you have more than 1
CAS server declared
- **Order**: Number to sort CAS Servers display
- **Proxied services**: list of services for which a proxy ticket is
requested:
- **Key**: Service ID
- **Value** Service URL (CAS service identifier)
.. tip::
If no proxied services defined, CAS authentication will not
activate the CAS proxy mode with this CAS server.