06 July 2009, 14:32

Is there any information out there on CAS authentication for Mahara or where to get started on CASifying it myself?  I'm hoping to not have to go through all of the hackery from square one myself.

06 July 2009, 16:04

I will snoop around at my institution...with the tech people.

Already sent them an email.

tm 

07 July 2009, 2:12

Here's an email I received John.

________________ 

Hi Tim,

If he only needs some general information about CAS, here is some document
about how to use CAS in USASK network http://www.usask.ca/docs/cas/.  Both
Todd and Kevin should able to help him on that.

Mahara system does not have the capability work with CAS to implement single
sign on function.  He can put Mahara system behind CAS authentication, by
this way we can define a list of people who can access Mahara. But a user
still need enter local username/password for Mahara after CAS
authentication.  

I modified the Mahara system for School of Physical Therapy, created a sign
on script and combined with local database to implement the single sign on
function.  I don't have any document (I am not good on write
documentations).  If single sign on is what he need, maybe I can write some
quick document.

Best,

Jin
 

07 July 2009, 4:26

You'll want to look at writing an authentication plugin for Mahara, I guess. As far as I understand it, CAS doesn't provide any user information, just a 'yes' or 'no' whether to authenticate the user.  In which case you'll probably want to look at another authentication plugin to defer to (like ldap or something else) to provide the user's information so Mahara can create the account if necessary.

Hope that helps!

 

07 July 2009, 8:55

To avoid messing much with Mahara, here's what I'm thinking: Write a script that does the CAS stuff (which is incredibly easy), caches credentials somewhere (database) and logs the user into Mahara using IMAP authentication against a custom IMAP server (second script) that looks at these credentials, sends the session cookie(s) back to the client, redirects the user into Mahara.  What's that, two CGI scripts? I think I can code that. 

07 July 2009, 12:56

Ok, I've got a working shim here.  CGI script "login.cgi" does the CAS thing, doing the ticket exchange and such.  It generates a temporary key that is used as a password, does the login through a HTTP post against Mahara.  Mahara authenticates against an IMAP server, another perl script that uses the same database table for its authentication source.  Once authenticated, the mahara session cookie is passed back to the browser along with a redirect.  Voila, SSO based on CAS without having to dig into Mahara's plugin setup.

I can't exactly share the code in this form but I could help if others need it.

09 July 2009, 22:30

Hi - it probably would have been easier to write a plugin for Mahara's authentication system . You could just copy the LDAP one as a starting point. The plugin system isn't that complicated...

10 July 2009, 9:21

It took all of 3 hours to code up this system (and -- fantastic -- it'll work for more than just Mahara).  But you're right, the plugin system is easy enough to get into, I just couldn't figure out how I'd get Mahara to not display login boxes and instead do all the redirection to the CAS server instead.  On top of that, I need it to auto-create accounts and pull user info out of LDAP after successful auth... It seemed easier to me to just code a custom LDAP server and leave Mahara stock.  It was altogether about 250 lines of Perl and a single database table, so not a huge investment.

07 July 2009, 8:49

No worries, I'll hack something together.  I was hoping to find a CAS auth module already coded out there somewhere, but I think I can work around this.

 

14 August 2009, 10:35

Does anyone have a CAS auth module together already?