CAS and Typo3 (II)

Hi,

after several months without publish comments, I’ll try to take up again this healthy habit :). I’ll try to explain several steps to get CAS integrated with Typo3 without going into details.

My partners and I have installed CAS and Typo3 and we’ve integrated them. In order to do this, you should have the following running:

  1. CAS installed and running on application server. We’ve installed CAS on Apache Tomcat 5.5.17 and integrated with LDAP. We have installed esup-cas-server-2.0.7 using LDAP and “uid” as user identifier.
  2. Typo3 installed and running on another server (or the same, but we don’t recommend it).

Having this environment running, we’ve had to follow the steps:

  1. Download the esup-PHPCas client from http://esup-phpcas.sourceforge.net/.
  2. Implement a new Typo3 extension “cas_auth“.
  1. esup-PHPcas was copied to cas_auth extension in order to be included from my class. CAS client provides this methods:
  • client(): Gets a client CAS instance.
  • forceAuthentication(): Checks if user is authenticated, if he isn’t redirects to CAS login form.
  • getUser(): Gets current authenticated user.
  1. This extension should extend tx_sv_authbase.
  2. We have implemented a method getUser(), called on “Logout” and “Login” operations. That method invokes CAS client methods which authenticate user, calling to forceAuthentication() method that redirects to login form if user hasn’t a valid session.
  3. cas_auth has the property BE_enableSSO, which, if it’s set, allows to authenticate on backend if user exists both on fe_users and be_users tables.
  4. We have added the new class as a service:
    t3lib_extMgm::addService($_EXTKEY,  'auth' /* sv type */,  'tx_casauth_sv1' /* sv key */,
    array(  'title' => 'CAS Auth',
    'description' => 'Authentication with CAS',
    'subtype' => $subTypes,
    'available' => TRUE,
    'priority' => 80,
    'quality' => 80,
    'os' => '',
    'exec' => '',
    'classFile' => t3lib_extMgm::extPath($_EXTKEY).'sv1/class.tx_casauth_sv1.php',
    'className' => 'tx_casauth_sv1', )
    );
    1. Implement a new Typo3 plugin.
      1. We’ve named this extension caslogin.
      2. That extension shows a link to CAS login form if user isn’t authenticated and a link to logout if user has a valid session.
      3. There is another option that allows to set up caslogin form with a IFRAME on your site.
      4. That plugin should be added to the page where you want to validate user (showing login form or showing welcome text :)).

    Backend configuration:

    • One “cas server” record should exist on site main sysfolder. Cas server is provided by “cas_auth“. Cas server defines:
      • Server name: Base url where Apache Tomcat serves our CAS instance.
      • Server port: Port where Apache Tomcat serves our CAS instance.
      • Log path: Complete path for cas client logging.
      • Cas servlet: Relative uri where Apache Tomcat serves our CAS instance.
      • URL to come back from CAS: Url used by CAS login form to come back to Typo3 site.
    • At least, one caslogin plugin added to one page (it could be good idea to add caslogin plugin as TypoScript Object Path over all pages).
    • ldap_server, ldap_lib and ldap_sync should be installed and configured on Typo3.

    When user accesses to site the sequence is:

    1. User goes to home page (which must have a caslogin plugin configured).
    2. Typo3 checks if user is authenticated on caslogin.
    3. CAS login form is shown on home page depending on configuration.
    4. User fills in his/her username and password.
    5. If username and password are correct, CAS login form redirects to Typo3 check login page, which can be any page that receives several “GET” variables, for example:
    “http://typo3_url/index.php?id=alias&submit=Login&logintype=login”

      2 thoughts on “CAS and Typo3 (II)

      1. I’m wondering why i can’t find extension “cas_auth” in TER? Nevertheless thx for sharing this guide to integrate T3 into this single sign on solution.

        polarizers 2 cent

      2. Pingback: My blog at Igalia » After a long time

      Leave a Reply

      Your email address will not be published. Required fields are marked *