Cas.net is an http module that allows any asp.net application to authenticate to a CAS server. We use this module as an authentication provider for Windows Sharepoint Services. I think that it should work for MOSS 2007 and OWA too.
The authentication mecanism is transparent to the application witch in return have a standard .NET user object. So in the application the user login is available with User.Identity.Name property.
In this version, the call to the CAS server is done only on the first call. Afterwards, authentication is based on .NET standand authentication mecanism.
Installation
The module is a dll that can be download here https://sourcesup.cru.fr/projects/cas.net and the installation is quite simple
asp.net application
Just drop casModule.dll in the root directory of the application and add the following to the web.config file
<appSettings> <add key="loginUrl" value="https://cas.server/login" /> <add key="validateUrl" value="https://cas.server/serviceValidate" /> <add key="logoutUrl" value="https://cas.server/logout" /> </appSettings>
to indicate CAS urls and
<system.web> ... <httpModules> <add name="CasModule" type="Upmc.CasModule.CasModule, CasModule"/> </httpModules> ... </system.web>
an httpModules tag to declare the module.
It is not even necessary to declare an authentication tag in the config file. As every request is intercepted by the module, only authenticated user gains access to the application.
Windows Sharepoint Services 3
As Windows Sahrepoint Services version 3 (WSS 3) is based on the .NET framework, this module can be used as an authentication provider. This should be also true for Microsoft Office Sharepoint Server 2007 (MOSS 2007), but i have not try yet.
The installation is as easy as standard asp.net application, the configuration is a little more intricate due to security configuration.
1. Copy the casModule.dll in the bin folder of sharepoint site collection. And do the following in the web.config file.
2. Add CAS server location in the appSettings tag
<appSettings> <add key="loginUrl" value="https://cas.server/login" /> <add key="validateUrl" value="https://cas.server/serviceValidate" /> <add key="logoutUrl" value="https://cas.server/logout" /> </appSettings>
3. Declare the module
<system.web> ... <httpModules> <clear /> <add name="SPRequest" type="Microsoft.SharePoint.ApplicationRuntime.SPRequestModule, Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" /> <add name="CasModule" type="Upmc.CasModule.CasModule, CasModule" /> <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" /> <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" /> <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" /> <add name="RoleManager" type="System.Web.Security.RoleManagerModule" /> <!-- <add name="Session" type="System.Web.SessionState.SessionStateModule"/> --> </httpModules> ... </system.web>
4. Modify the security policy to enable the module
The policy file to modify is based on Sharepoint trust level declare in this tag
<trust level="WSS_Medium" originUrl="" />
and the location of the policy file is declare in
<securityPolicy> <trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\ Web Server Extensions\12\config\wss_mediumtrust.config" /> <trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\ Web Server Extensions\12\config\wss_minimaltrust.config" /> </securityPolicy>
In the security file add the folliwing in the first CodeGroup tag
<CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust"> <IMembershipCondition class="UrlMembershipCondition" version="1" Url="$AppDirUrl$/bin/casModule.dll" /> </CodeGroup>
5. Last step modify the site collection configuration to enable sso and add a membership provider through Sharepoint administration site.
To be done
Some more work and test should be done in order to :
- have a nice 500 error if the CAS server is down on validation.
- add an optional sliding time to live for authentication check
- handle CAS logout protocol
I am also planning to rapidly test this module in an IIS 7 autentication pipe line. I have no idea yet on how to handle the user id the application.
And of course other your feedback.
et pour les français vous pouvez lire mon article sur techHeadBrothers.com
Jean Marie