Child pages
  • CASifying Sakai
Skip to end of metadata
Go to start of metadata

CASifying Sakai

Looking for CAS 3 info?

These instructions are for CAS 2. For CAS 3, read the new article

I initially followed the instructions here ( and chose to integrate CAS via a servlet filter. I found the instructions lacked a bit of substance, so had to do a lot of experimenting myself. Below is a quick howto on what I did.

1) Configure sakai-login-tool's web.xml

There are two blocks you need to add to the sakai-login-tool's web.xml file.
Edit: $SAKAI_SRC/login/login-tool/tool/src/webapp/WEB-INF/web.xml

First, the filter and filter-mapping blocks; add them after any others that appear in that file as below:

Of course, you need to replace the above URLs with the URLs that are relevant to your installation.

Next, add another filter-mapping block to force requests for /container through Sakai's RequestFilter. This filter must be placed close to the top of web.xml, near:

The order is important

Please note that the order of the above blocks in the web.xml is important. They form a chain and each one passes off to the next one in the chain. See here for more information:

2) Modify the login-tool's project.xml (2.4.x) or pom.xml(2.5.x +) to include the casclient.jar automatically

You need a CAS filter to be deployed to TOMCAT/sakai-login/tool/WEB-INF/lib. You can either manually put it there after the war has been expanded (but it will be overwritten if you redeploy the war), or just add it as a dependency and get it included in the war itself!

Sakai 2.4.x Edit: $SAKAI_SRC/login/login-tool/tool/project.xml
And add:

Sakai 2.5.x Edit: $SAKAI_SRC/login/login-tool/tool/pom.xml
And add:

It will be fetched and installed by Maven, then deployed automatically. You might need in your maven.repo.remote in so it can find the casclient jar.

3) Modify

For our requirements, we need everyone to login and logout via CAS. To do this, we need to remove the username/password boxes at the top, enable the container to handle the login via CAS, and force logouts to be handled by CAS also.

# Remove the username/password boxes at the top by setting this to false
top.login = false

# Let the container handle logins - ie to use single sign-on.
container.login = true

# Force logouts via CAS also - your requirements will be different for this.
# The URL below allows us to logout via CAS and then be redirected back to our Sakai server.
3) Rebuild the login project, restart Sakai and test.

Clicking on the "Login" link now redirects me for authentication, and then logs me into Sakai.

Accessing the CAS authenticated username:

To access the authenticated username and other information from any JSP/Servlets I use:

// get the authenticated username (2 methods of doing this)

//get additional information about the authentication receipt  (2 methods of doing this)

Enabling local login as well as a CAS login

It is possible to have another login link that authenticates against Sakai itself, and we use this for users that are not in our LDAP system, but need to be able to login to Sakai (for instance, some units offered through UNE are available to students at other Universities, but they are not in our main Student Information System, so they can be stored just in Sakai and login to Sakai only).
To do that, modify your to add the xlogin section:

I have also written a CAS Perl module, which uses both CGI::Session to setup a session, and the returned CAS ticket for validation. Once you get the ticket, if you don't have a session already, one is established and that is used for any further authenticated requests. When the session times out, a new ticket is issued and this prompts a new session.

There are probably issues with this code but it seems to be running fine! Like I said above, you need to make sure your CAS server is returning usernames wrapped in XML the same way as above, or modify the code to suit. Feedback appreciated.

1 Comment

  1. Hi Steve, thanks for these useful instructions. It's probably worth mentioning that for this to work you also need to have JLDAP set up in Sakai too (see this bug report).