Looking for CAS 3 info?
These instructions are for CAS 2. For CAS 3, read the new article
I initially followed the instructions here (http://confluence.sakaiproject.org/display/SAKDEV/CASifying+Sakai) and chose to integrate CAS via a servlet filter. I found the instructions lacked a bit of substance, so had to do a lot of experimenting myself. Below is a quick howto on what I did.
1) Configure sakai-login-tool's web.xml
There are two blocks you need to add to the sakai-login-tool's web.xml file.
First, the filter and filter-mapping blocks; add them after any others that appear in that file as below:
Of course, you need to replace the above URLs with the URLs that are relevant to your installation.
Next, add another filter-mapping block to force requests for /container through Sakai's RequestFilter. This filter must be placed close to the top of web.xml, near:
The order is important
Please note that the order of the above blocks in the web.xml is important. They form a chain and each one passes off to the next one in the chain. See here for more information: http://java.sun.com/products/servlet/Filters.html
2) Modify the login-tool's project.xml (2.4.x) or pom.xml(2.5.x +) to include the casclient.jar automatically
You need a CAS filter to be deployed to TOMCAT/sakai-login/tool/WEB-INF/lib. You can either manually put it there after the war has been expanded (but it will be overwritten if you redeploy the war), or just add it as a dependency and get it included in the war itself!
Sakai 2.4.x Edit: $SAKAI_SRC/login/login-tool/tool/project.xml
Sakai 2.5.x Edit: $SAKAI_SRC/login/login-tool/tool/pom.xml
It will be fetched and installed by Maven, then deployed automatically. You might need http://repo1.maven.org/maven/ in your maven.repo.remote in build.properties so it can find the casclient jar.
3) Modify sakai.properties
For our requirements, we need everyone to login and logout via CAS. To do this, we need to remove the username/password boxes at the top, enable the container to handle the login via CAS, and force logouts to be handled by CAS also.
3) Rebuild the login project, restart Sakai and test.
Clicking on the "Login" link now redirects me for authentication, and then logs me into Sakai.
Accessing the CAS authenticated username:
To access the authenticated username and other information from any JSP/Servlets I use:
Enabling local login as well as a CAS login
It is possible to have another login link that authenticates against Sakai itself, and we use this for users that are not in our LDAP system, but need to be able to login to Sakai (for instance, some units offered through UNE are available to students at other Universities, but they are not in our main Student Information System, so they can be stored just in Sakai and login to Sakai only).
To do that, modify your sakai.properties to add the xlogin section:
I have also written a CAS Perl module, which uses both CGI::Session to setup a session, and the returned CAS ticket for validation. Once you get the ticket, if you don't have a session already, one is established and that is used for any further authenticated requests. When the session times out, a new ticket is issued and this prompts a new session.
There are probably issues with this code but it seems to be running fine! Like I said above, you need to make sure your CAS server is returning usernames wrapped in XML the same way as above, or modify the code to suit. Feedback appreciated.