MENU

Using mod_authn_cas at SFU

mod_authn_cas introduction

mod_authn_cas is an Apache module that uses CAS to authenticate a user and authorize their access to web content served by an Apache HTTP Server. Because this module does not redirect to the CAS login page, it can be used when protecting an application that is not web based, such as WebDAV.

This module is very basic and does not have any authorization features built in, so it relies on other modules or CAS itself to provide access control. Typically you would register your application (such as WebDAV) with CAS and specify what Required Attributes need to be specified.

Configuring mod_authn_cas at SFU

The first step is to download a copy of mod_authn_cas from here. You can then build and install the module.

Once the module is installed in your Apache's module directory, you should specify the following in your Apache httpd.conf file:

LoadModule authn_cas_module modules/mod_authn_cas.so

You then need to add a few required parameters to configure mod_authn_cas

CASRestURL https://cas.sfu.ca/cas/v1/tickets

mod_authn_cas needs to make a direct connection to the CASRestURL to log the user in. To allow the SSL connection to be made, you need to install the X509 certificate of the Certificate Authority for the CAS server in your certificate folder (default /etc/ssl/certs/). That certificate is available at ThawtePremiumServerBundleCA-2018-v3.pem. You would then specify the directory containing that certificate using:

CASCertificatePath /etc/ssl/certs/

You can then protect a directory in your Apache configuration by using:

<Location /WebDAV>
   AuthType Basic
   AuthName "Enter an SFU account."
   AuthBasicProvider cas
   Require valid-user
</Location>

Supported Require Directives

The mod_authn_cas module doesn't support Require directives on its own, but built in modules like mod_auth_basic provide at least the following:

Require valid-user
Require user userid [userid] ...

Other access control requirements can be specified in CAS when you register your CAS protected server/application.