CAS Authentication
This integrates Jasig CAS with Gallery3.
The users will still have to have an account in Gallery3 and their user names must match the user name used with CAS.
To automatically create missing users, create a custom module that handles the 'cas_auth_missing_user' event. This event receives a single parameter containing the missing user name.
Installation
This module may be downloaded from github here.
Before you install this module, you should verify that you can access your MySQL database (see Disabling CAS if the settings are incorrect).
To install, extract the "cas_auth" folder from the zip file into your Gallery 3 modules folder.
Afterwards log into your Gallery web site as an administrator and activate the module in the Admin -> Modules menu.
Configure the module: Settings -> CAS settings
Fill in the CAS server details then click save.
After saving the settings, click enable to switch the system over to using CAS for authentication.
To verify CAS is working, log out of gallery3, then log back in. It should now use CAS to authenticate you.
Disabling CAS if the settings are incorrect
If you enable CAS but the settings are incorrect you will be unable to log in to gallery 3 to disable CAS.
To recover from this you need access to the MySQL server, and need to run the following 2 queries.
UPDATE gal_vars SET value = '0' WHERE module_name = 'cas_auth' AND name = 'enabled';
DELETE FROM gal_caches WHERE `key` = 'var_cache';
Replace "gal_" with the prefix you used when installing gallery 3.
Limitations
- The admin re-authentication is disabled while using the cas_auth plugin since the user probably won't know what their Gallery3 password is. For security, it's advisable to have separate user/administrator accounts.
- Gallery3 user accounts still need a password, even though the users will not be using Gallery3 to authenticate.
- Replaces 404 error page to remove login form, other modules/themes that replace the 404 page may conflict.
- Replaces login_ajax page to remove login form, other modules/themes that replace this page may conflict.
- Extends auth_Core, so will not work with other modules that also extend auth_Core
- Performs some session management, hooks in early in the pipeline before sessions have been loaded. Other modules that hook in early and load a session will cause problems.
- Currently only supports SAML Version 1.1, need to add settings to allow selecting other protocols.
- Currently does not support CAS proxies, need to add settings to allow configuring a proxy.
TODO
- Add support for other protocols (this just needs a drop down in the settings, and someone with an appropriate CAS server to test the change).
- Add support for CAS proxies, not sure on what's required; I have not used CAS in a proxy configuration.
- Add feature to test set-up before enabling (would be nice to ensure you're not about to lock yourself out).
- A nicer settings page wouldn't hurt.
- Confirmation prompt before enabling/disabling.