Skip to content

Setup a CAS server with the ViSH database as authentication source

Jump to bottom
Enrique Barra Arias edited this page Aug 23, 2017 · 7 revisions

What we are going to do:

This page explains how to install a CAS server to authenticate with CAS protocol against ViSH. So the CAS server will use the ViSH database to authenticate users.

The registration will continue as always in the ViSH platform.

Moodle users will be able to authenticate with this CAS server as well as ViSH users, so we will get single sign on and single sign off.

You can read more in the official CAS server documentation (the one that we have used): http://casino.rbcas.com/docs/

Previous requirements

*We have a Ubuntu 14.04 machine with ViSH installed and we have access to that machine throgh ssh. *Software: we will use this CAS server app: https://github.com/rbCAS/CASinoApp. This is because it is done in Ruby and we can install it together with ViSH easily but surely other CAS server will also work. We have created a fork of that app to customize the interface, our repo is: https://github.com/ging/CASinoApp

Limitations

Single Sign Out will not work unless you configure a server session store, such as redis store. See this github issue for more info.

Language is taken from the HTTP_ACCEPT_LANGUAGE header of the requests. This is done in the CASinoApp. If you want to keep the same language that the user has in ViSH this should be enhanced to pass an extra param in the first login request url and get that param in the set_locale method.

Installation

The first step is to log in in your ViSH instance. In that machine, we will configure the database, creating a database called vish_cas for the CAS server to migrate it and a new view, where the CAS server will authenticate.

sudo -u postgres psql
CREATE DATABASE vish_cas OWNER postgres;
\c vish_production;
create view moodle_users as select users.encrypted_password, actors.name, actors.email from users inner join actors on (users.actor_id=actors.id);
\q

Now change directory to where you have your server apps. In that directory we clone the CASinoApp project and configure the database.yml file:

cd /u/apps
git clone https://github.com/ging/CASinoApp.git
cd CASinoApp
vi config/database.yml

In the database.yml file we change the following lines (replacing YOUR_PASSWORD for your real postgres password):

production:
  adapter: postgresql
  encoding: utf8
  database: vish_cas
  pool: 5
  username: postgres
  password: YOUR_PASSWORD

Now we install CASinoAPP:

./script/install postgres

The next step is to edit cas.yml, with your server configuration. This file contains the database table where you want to authenticate with CAS (remember to replace YOUR_PASSWORD for your real postgres password):

production:
  frontend:
    sso_name: 'ViSH Login'
    footer_text: 'Haz login y estarás autenticado en ViSH'
  authenticators:
    my_company_sql_database:
      authenticator: "ActiveRecord"
      options:
        connection:
          adapter: "postgresql"
          host: "localhost"
          username: "postgres"
          password: YOUR_PASSWORD
          database: "vish_production"
        table: "moodle_users"
        username_column: "email"
        password_column: "encrypted_password"
        extra_attributes:
          email: "email"
          name: "name"
  two_factor_authenticator:
    enable: false

Now we have to configure our ViSH instance to use this CAS server. In the config/application_config.yml file we will have to configure our CAS system. (Detailed instructions for this file possibilities can be found here https://github.com/ging/vish/wiki/Setting-up-a-ViSH-instance:-The-application_config.yml-file). We will choose either CAS or HYBRID as login_policy and add the CAS configuration.

Finally we have to edit our apache2 sites-available config files (both, the regular and the ssl one) to add this new app inside our domain. So we edit that file, in our case it is done with "sudo vi /etc/apache2/sites-available/vishub.conf" and "sudo vi /etc/apache2/sites-available/vishub-ssl.conf". In that files we add the following lines inside the virtualhost:

        Alias /cas /u/apps/CASinoApp
        <Location /cas>
                PassengerBaseURI /cas
                PassengerAppRoot /u/apps/CASinoApp
        </Location>

Optionally rotate the logs

To rotate the log files (production and search logs) and avoid them becoming really huge we recommend using logrotate. Edit the file /etc/logrotate.d/cas with the following content, replacing username for your ubuntu username:

/u/apps/CASinoApp/log/production.log {
  weekly
  missingok
  rotate 12
  maxage 84
  notifempty
  create 0660 username www-data
  sharedscripts
  compress
  delaycompress
  su username www-data
  postrotate
    touch  /u/apps/CASinoApp/tmp/restart.txt
  endscript
}
Clone this wiki locally