Skip to content

Update the CAS client

We've made the CAS server side changes (though not deployed them yet) but we need to change the CAS client side, both the Apache config, and the php pages.

Update mod_auth_cas settings

Edit the def-cas-client.conf.j2 file in roles/cas-client/templates/.

  1. Create a second directory configuration for our return-all service, and a third for our return-mapped service.
  2. Within each of them - you'll want to set CASAuthNHeader to On.
  3. Change the CASValidateUrl to have samlValidate at the end instead of serviceValidate
  4. Set CASValidateSAML to On as well. This tells mod_auth_cas to use SAML 1.1 to retrieve user attributes and store them as HTTP headers.

When done it will look like this:

roles/cas-client/templates/dev-cas-client.conf.j2

LoadModule auth_cas_module modules/mod_auth_cas.so

# this is our basic config from earlier
<Directory "/var/www/html/secured-by-cas">
    <IfModule mod_auth_cas.c>
        AuthType CAS
        CASAuthNHeader  On
    </IfModule>

    Require valid-user
</Directory>

# Return all attribute directory
<Directory "/var/www/html/return-all">
    <IfModule mod_auth_cas.c>
        AuthType        CAS
        CASAuthNHeader  On
    </IfModule>

    Require valid-user
</Directory>

# Return mapped attributes directory
<Directory "/var/www/html/return-mapped">
    <IfModule mod_auth_cas.c>
        AuthType        CAS
        CASAuthNHeader  On
    </IfModule>

    Require valid-user
</Directory>

<IfModule mod_auth_cas.c>
    CASLoginUrl             https://{{ CAS_DEV_URL }}/cas/login
    CASValidateUrl          https://{{ CAS_DEV_URL }}/cas/samlValidate
    CASCookiePath           /var/cache/httpd/mod_auth_cas/
    CASSSOEnabled           On
    CASValidateSAML         On
    CASAttributePreffix     CAS-
    CASDebug                Off
    CASCertificatePath      /etc/pki/tls/certs/np-ca.crt
</IfModule>

Update the PHP page templates

Edit the existing main-index file:

roles/cas-client/templates/main-index.php:

<!DOCTYPE html>
<html lang="en">
  <head>
    <title>CAS client test page</title>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
  </head>
  <body>
    <div class="container">
      <h1>CAS client test page</h1>
        <p><big>Click <a href="secured-by-cas/index.php">here</a> for our basic test.</big></p>
        <p><big>Click <a href="return-all/index.php">here</a> for our 'return all attributes' test.</big></p>
        <p><big>Click <a href="return-mapped/index.php">here</a> for our 'return mapped attributes' test.</big></p>
    </div>
  </body>
</html>

Create a new 'return-all.php' index file

This can be identical to the previously created basic-cas-check-index.php file - you can just update the title page and/or text. roles/cas-client/templates/return-all.php:

<!DOCTYPE html>
<html lang="en">
  <head>
    <title>CAS Return All Attributes test page</title>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
  </head>
  <body>
    <div class="container">
      <h1>Return All Attributes</h1>
      <p><big>Return All Attributes.</big></p>
      <h2>Attributes Returned by CAS</h2>
      <?php
        echo "<pre>";

        if (array_key_exists('REMOTE_USER', $_SERVER)) {
            echo "REMOTE_USER = " . $_SERVER['REMOTE_USER'] . "<br>";
        }

        $headers = getallheaders();
        foreach ($headers as $key => $value) {
            if (strpos($key, 'Cas-') === 0) {
                echo substr($key, 4) . " = " . $value . "<br>";
            }
        }

        echo "</pre>";
      ?>
    </div>
  </body>
</html>

Create a new 'return-mapped.php' index file

Just like the last - this is the same except the title/text roles/cas-client/templates/return-all.php:

<!DOCTYPE html>
<html lang="en">
  <head>
    <title>CAS Return Mapped Attributes test page</title>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
  </head>
  <body>
    <div class="container">
      <h1>Return Mapped Attributes</h1>
      <p><big>Return Mapped Attributes.</big></p>
      <h2>Attributes Returned by CAS</h2>
      <?php
        echo "<pre>";

        if (array_key_exists('REMOTE_USER', $_SERVER)) {
            echo "REMOTE_USER = " . $_SERVER['REMOTE_USER'] . "<br>";
        }

        $headers = getallheaders();
        foreach ($headers as $key => $value) {
            if (strpos($key, 'Cas-') === 0) {
                echo substr($key, 4) . " = " . $value . "<br>";
            }
        }

        echo "</pre>";
      ?>
    </div>
  </body>
</html>

Update the CAS client Ansible role

Edit the setup-test-pages.yml file in roles/cas-client/tasks to ensure the directories are created and the new files are copied over. The newly added content is highlighted.

roles/cas-client/tasks/setup-test-pages.yml:

---

- name: Setup CAS test index page
  ansible.builtin.template:
    src: main-index.php
    dest: /var/www/html/index.php
    mode: 0755
    owner: root
    group: root
  when: ("login6dev" in inventory_hostname)

- name: Ensure secured-by-cas directory exists
  ansible.builtin.file:
    path: /var/www/html/secured-by-cas
    state: directory
    owner: root
    group: root
    mode: 0755
  when: ("login6dev" in inventory_hostname)

- name: Setup basic 'secured-by-cas' test index page
  ansible.builtin.template:
    src: basic-cas-check-index.php
    dest: /var/www/html/secured-by-cas/index.php
    mode: 0755
    owner: root
    group: root
  when: ("login6dev" in inventory_hostname)

- name: Ensure return-all directory exists
  ansible.builtin.file:
    path: /var/www/html/return-all
    state: directory
    owner: root
    group: root
    mode: 0755
  when: ("login6dev" in inventory_hostname)

- name: Setup return-all index page
  ansible.builtin.template:
    src: return-all-index.php
    dest: /var/www/html/return-all/index.php
    mode: 0755
    owner: root
    group: root
  when: ("login6dev" in inventory_hostname)

- name: Ensure return-mapped directory exists
  ansible.builtin.file:
    path: /var/www/html/return-mapped
    state: directory
    owner: root
    group: root
    mode: 0755
  when: ("login6dev" in inventory_hostname)

- name: Setup return-mapped index page
  ansible.builtin.template:
    src: return-mapped-index.php
    dest: /var/www/html/return-mapped/index.php
    mode: 0755
    owner: root
    group: root
  when: ("login6dev" in inventory_hostname)

Rerun the playbook

[chauvetp@ansible templates]$ ansible-playbook ~/ansible/site.yml --ask-vault-pass --limit <your_CAS_server>
Vault password: 

Test

Caution

Make sure when you go to the individual test page - you see the correct service name in the CAS login page. If you still see "HTTPS Wildcard" you may have an error in your service files which is causing the wildcard one to be the first one seen.