- Get help
- Services
- Announcements & alerts
- Service outages
- Security alerts
- Major initiatives
- Using automation to drive efficiency and innovation at SFU
- Welcome to the new SFU Mail: now faster, secure, intuitive
- Reintroducing IT ServiceHub: Your One-Stop IT Support Platform
- Supporting SFU's Digital Transformation with Exchange Online
- Important changes to SFU email practices
- Transforming the SFU experience through digital improvements - Key Initiatives in Progress
- Jovanna Sauro wins SFU Personal Achievement Award
- Improve your cellular coverage by enabling WiFi Calling
- New committee guides transformative changes at SFU
- Expanded identity options for students within SFU applications
- SFU works toward keeping devices out of landfills
- A journey to improved WiFi
- Help us, help you, connect to better WiFi
- IT Services' new support system: ServiceHub
- Information Security Essential Courses
- IT Services leadership announcement
- University Wide Password Change Initiative
- April 2021 technical issue
- Telephone System Core Infrastructure Upgrade
- Decommissioning fraser.sfu.ca
- About
- Information security
Using mod_auth_cas at SFU
mod_auth_cas introduction
mod_auth_cas is an Apache module that uses CAS to protect static and dynamic web content served by the Apache HTTP Server.
Note: There is an older version of mod_auth_cas that was extensively modified to work with SFU CAS. This version will still work, but is no longer supported. It only works with Apache 2.2, and that version of Apache is no longer being maintained by The Apache Software Foundation. If you are currently using the old SFU mod_auth_cas, and want to upgrade Apache to version 2.4, see the documentation here on moving from the old SFU mod_auth_cas to the new mod_auth_cas.
Configuring mod_auth_cas at SFU
Once you have built and installed mod_auth_cas in your Apache modules directory (say /etc/httpd/modules), you would edit your Apache configuration to load the mod_auth_cas module with
LoadModule auth_cas_module modules/mod_auth_cas.so
You then need to add a few required parameters to configure mod_auth_cas
CASLoginURL https://cas.sfu.ca/cas/login
CASValidateURL https://cas.sfu.ca/cas/serviceValidate
CASCookiePath /usr/local/apache2/cas/
mod_auth_cas needs to make a direct connection to the CASValidateURL to validate the Service Ticket from CAS when the user logs in. To allow the SSL connection to be made, you need to install the X509 certificate of the Certificate Authority for the CAS server in your certificate folder (default /etc/ssl/certs/). That certificate is available at ThawtePremiumServerBundleCA-2018-v3.pem. You would then specify the directory containing that certificate using:
CASCertificatePath /etc/ssl/certs/
You can then protect a directory in your Apache configuration by using:
<Location /secured>
Authtype CAS
Require valid-user
</Location>
You can also protect directories by placing the contents of the Location block in .htaccess files.
Supported Require Directives
| Require valid-user |
All valid users can access the resource. |
| Require user userid [userid] ... |
Only the named users can access the resource. |
| Require cas-attribute member:mail-list |
Only members of the named mail list can access the resource. |
| Require cas-attribute sfuEduPersonAffiliation:staff |
Only SFU staff can access the resource. |
| Require cas-attribute sfuEduPersonAffiliation:undergrad |
Only SFU undergrad students can access the source. |
| Require cas-attribute sfuEduPersonAffiliation:grad |
Only SFU grad students can access the resource. |
| Require cas-attribute sfuEduPersonAffiliation:faculty |
Only SFU faculty can access the resource. |
| Require cas-attribute sfuEduPersonAffiliation:alumnus |
Only SFU alumni can access the resource. |
| Require cas-attribute sfuIsLightweight:true |
Only SFU lightweight accounts can access the resource. |
| Require cas-attribute sfuIsLightweight:false |
Only SFU fullweight account can access the resource. |