Cas.net is an http module that allows any asp.net application to authenticate to a CAS server. We use this module as an authentication provider for Windows Sharepoint Services. I think that it should work for MOSS 2007 and OWA too.
The authentication mecanism is transparent to the application witch in return have a standard .NET user object. So in the application the user login is available with User.Identity.Name property.
In this version, the call to the CAS server is done only on the first call. Afterwards, authentication is based on .NET standand authentication mecanism.
Installation
The module is a dll that can be download here https://sourcesup.cru.fr/projects/cas4net and the installation is quite simple
asp.net application
Just drop casModule.dll in the BIN folder of the root directory of the application and add the following to the web.config file in the root directory
No Format |
---|
<appSettings>
<add key="loginUrl" value="https://cas.server/login" />
<add key="validateUrl" value="https://cas.server/serviceValidate" />
<add key="logoutUrl" value="https://cas.server/logout" />
</appSettings>
|
to indicate CAS urls and
No Format |
---|
<system.web>
...
<httpModules>
<add name="CasModule" type="Upmc.CasModule.CasModule, CasModule"/>
</httpModules>
...
</system.web>
|
an httpModules tag to declare the module.
Last, you have to disable any default authentication in asp.net by turning the authentication mode to None in the <system.web> section
Code Block |
---|
<authentication mode="None">
</authentication>
<authorization>
<allow users="*"/>
</authorization>
|
As every request is intercepted by the module, only authenticated user gains access to the application. Of course you also have to deal with authorization, here every authenticated user is allowed to process the application.
For IIS 7, the configuration file is slightly different for the module part, so to better use the new IIS manager UI to have the job done. Add the module with the module config, the application setting with the application settings, disable all authentication module except anonymous.
Windows Sharepoint Services 3
As Windows Sahrepoint Services version 3 (WSS 3) is based on the .NET framework, this module can be used as an authentication provider, that allows any asp.net application to authenticate to a CAS server.. This should be also true for Microsoft Office Sharepoint Server 2007 (MOSS 2007), but i have not try yet.
The installation is as easy as standard asp.net application, the configuration is a little more intricate due to security configuration.
1. Copy the casModule.dll in the bin folder of sharepoint site collection. And do the following in the web.config file.
2. Add CAS server location in the appSettings tag
No Format |
---|
<appSettings>
<add key="loginUrl" value="https://cas.server/login" />
<add key="validateUrl" value="https://cas.server/serviceValidate" />
<add key="logoutUrl" value="https://cas.server/logout" />
</appSettings>
|
3. Declare the module
No Format |
---|
<system.web>
...
<httpModules>
<clear />
<add name="SPRequest" type="Microsoft.SharePoint.ApplicationRuntime.SPRequestModule,
Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />
<add name="CasModule" type="Upmc.CasModule.CasModule, CasModule" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
<!-- <add name="Session" type="System.Web.SessionState.SessionStateModule"/> -->
</httpModules>
...
</system.web>
|
4. Modify the security policy to enable the module
The policy file to modify is based on Sharepoint trust level declare in this tag
No Format |
---|
<trust level="WSS_Medium" originUrl="" />
|
and the location of the policy file is declare in
No Format |
---|
<securityPolicy>
<trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\
Web Server Extensions\12\config\wss_mediumtrust.config" />
<trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\
Web Server Extensions\12\config\wss_minimaltrust.config" />
</securityPolicy>
|
In the security file add the folliwing in the first CodeGroup tag
No Format |
---|
<CodeGroup
class="UnionCodeGroup"
version="1"
PermissionSetName="FullTrust">
<IMembershipCondition
class="UrlMembershipCondition"
version="1"
Url="$AppDirUrl$/bin/casModule.dll"
/>
</CodeGroup>
|
5. Last step modify the site collection configuration to enable sso and add a membership provider through Sharepoint administration site.
To be done
Some more work and test should be done in order to :
- have a nice 500 error if the CAS server is down on validation.
- add an optional sliding time to live for authentication check
- handle CAS logout protocol
I am also planning to rapidly test this module in an IIS 7 autentication pipe line. I have no idea yet on how to handle the user id the application.
And of course other your feedback.
et pour les français vous pouvez lire mon article sur techHeadBrothers.com
Jean Marie