How to Integrate Single Sign-On Using JASIG-CAS

Sripathi Krishnan

07 Jun 2017

How to Integrate Single Sign-On Using JASIG-CAS

What is CAS ?

It is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as user id and password) only once. It can use multiple backed identity stores like database,ldap and In- memory. It is useful when there is centralized authentication team manages the identity.

Django CAS NG

There are some available middleware with django to integrate and the most viable one django-cas-ng is a Central Authentication Service (CAS) client implementation. This project inherits from django-cas. support Single Sign Out and Can fetch Proxy Granting Ticket.

Pre Requisites

Supports CAS versions 1.0, 2.0 and 3.0. Supports Django 1.5, 1.6, 1.7 and 1.8 with User custom model Supports Python 2.7, 3.x

How to Setup Environment and Install

The project runtime needs to be setup with right dependencies. So that, project scaffold can start referencing the dependencies.
Install with pip: pip install django-cas-ng
Install the latest code: pip install https://github.com/mingchen/django-cas-ng/archive/master.zip
Install from source code: python setup.py install

Settings

Single sign-on always needs right filter type middlewares for intercepting the requests.It is always good practise to keep the configuration as a part of Django sample project. Make sure you also have the authentication middleware installed. Here’s an example:

Sample settings file for reference with configuration:


INSTALLED_APPS = ( ‘django.contrib.admin’, ‘django.contrib.auth’, ‘django.contrib.contenttypes’, ‘django.contrib.sessions’, ‘django.contrib.messages’, ‘django.contrib.staticfiles’, ‘django_cas_ng’, … )
MIDDLEWARE_CLASSES = ( ‘django.middleware.common.CommonMiddleware’, ‘django.contrib.sessions.middleware.SessionMiddleware’, ‘django.contrib.auth.middleware.AuthenticationMiddleware’, … )
AUTHENTICATION_BACKENDS = ( ‘django.contrib.auth.backends.ModelBackend’, ‘django_cas_ng.backends.CASBackend’, )

CAS_SERVER_URL needs to be defined to configure cas runtime which is a web application dpeloyed on a http java application server. Set it to the base URL of your CAS source (e.g. https://account.example.com/cas/).

Optional Settings Include:

CAS_ADMIN_PREFIX CAS_CREATE_USER CAS_LOGIN_MSG CAS_LOGGED_MSG CAS_EXTRA_LOGIN_PARAMS CAS_RENEW CAS_IGNORE_REFERER CAS_LOGOUT_COMPLETELY CAS_REDIRECT_URL CAS_RETRY_LOGIN CAS_STORE_NEXT CAS_VERSION CAS_USERNAME_ATTRIBUTE CAS_PROXY_CALLBACK CAS_FORCE_CHANGE_USERNAME_CASE CAS_APPLY_ATTRIBUTES_TO_USER

View-Wrappers Example

The settings CAS_EXTRA_LOGIN_PARAMS allows you to define a static dictionary of extra parameters to be passed on to the CAS login page. But what if you want this dictionary to be dynamic (e.g. based on user session)? Our current advice is to implement simple wrappers for our default views, like these:


from django_cas_ng import views as baseviews
@csrf_exempt def login(request, **kwargs): return _add_locale(request, baseviews.login(request, **kwargs))
def logout(request, **kwargs): return _add_locale(request, baseviews.logout(request, **kwargs))
def _add_locale(request, response): """If the given HttpResponse is a redirect to CAS, then add the proper 'locale' parameter to it (and return the modified response). If not, simply return the original response."""
if (
    isinstance(response, HttpResponseRedirect)
    and response['Location'].startswith(settings.CAS_SERVER_URL)
):
    from ourapp.some_module import get_currently_used_language
    url = response['Location']
    url += '&' if '?' in url else '&'
    url += "locale=%s" % get_currently_used_language(request)
    response['Location'] = url
return response

 

Custom Backends

The CASBackend class is heavily inspired from Django’s own RemoteUserBackend and allows for some configurability through subclassing if you need more control than django-cas-ng’s settings provide. For instance, here is an example backend that only allows some users to login through CAS:


from django_cas_ng.backends import CASBackend
class MyCASBackend(CASBackend):
    def user_can_authenticate(self, user):
        if user.has_permission(‘can_cas_login’):
            return True
    return False

 

If you need more control over the authentication mechanism of your project, then django-cas-ng’s settings provide a functionality to create your own authentication backend that inherits from django_cas_ng.backends.CASBackend and override these attributes or methods:
CASBackend.clean_username(username) CASBackend.user_can_authenticate(user) CASBackend.configure_user(user)

Summary

CAS enables single sign-on and login federation for organisations and help them centrally manage identity for multiple web applications in organisations by seamlessly integrating with them over http. This enables centralization of identity provider teams.


Have a question?

Need Technology advice?

Connect

+1 669 253 9011

contact@hashedin.com

facebook twitter linkedIn youtube