phpCAS examples

Owned by Pascal AUBRY
Last updated: Oct 16, 2012 by Andrew PetroVersion comment
3 min read

The phpCAS library provides a simple API for authenticating users against a CAS server. phpCAS is configured using the static API methods such as phpCAS::client() and phpCAS::setCasServerCACert(). After phpCAS has been configured, a call to phpCAS::forceAuthentication() executes the login process if the current user is not already authenticated, redirecting out to the CAS server's login page. After phpCAS::forceAuthentication() has been called, the current user's id is accessible via phpCAS::getUser().

The examples below show a variety of ways to utilize the phpCAS library. All examples can be found in the distribution packes and can be downloaded from the  Examples directory in source control

A simple CAS client

phpCAS can be used the simplest way, as a CAS client

simple example source code

Run-time behaviour configuration

When setting up a CAS proxy client, some runtime behaviour can be easily configured.

Language

Setting the language for error pages or notifications

Language example source code

HTML output

Changing the html style of error pages and notifications

HTML example source code

A CAS proxy

phpCAS can also make a PHP script act as a cas proxy client. The phpcas client get a proxy ticket from the cas server and uses it to access external services in your name. (calling external services). The proxy client has support for cookies and can be used for sessions etc.

A CAS proxy using serviceWeb()

Example proxy serviceWeb source code

A CAS proxied service

An example service (also CAS client) to be called from the example_proxy_serviceWeb. This example also uses the session for a simple counter.

example service source code

CAS proxies can be chained

A CAS proxy client can also be a proxied itself

Example chained proxy source code

The ProxiedService system

As of phpCAS 1.2.2 new of ProxiedService classes are available that provide access to making proxy-authenticated requests via HTTP GET, HTTP POST, IMAP, and in the future SOAP, XML RPC, etc.

CAS_ProxiedService_Http_Get

The HTTP GET Proxied Service is equivalent to serviceWeb(), but provides an exception-based API.

example_proxy_GET source code

example service source code

CAS_ProxiedService_Http_Post

The HTTP POST Proxied Service allows clients to make proxy-authenticated POST requests.

example_proxy_POST source code

example_service_POST source code

CAS_ProxiedService_Imap

The IMAP Proxied Service is equivalent to serviceMail(), but provides an exception-based API.

Clients should use the following CAS_ProxiedService_Imap methods:

  • setServiceUrl ($url) - Set the URL of the service to pass to CAS for proxy-ticket retrieval.
  • setMailbox ($mailbox) - Set the mailbox to open. See the $mailbox parameter of imap_open().
  • setOptions ($options) - Set the options for opening the stream. See the $options parameter of imap_open().
  • open () - Open the IMAP stream (similar to imap_open()).

PGT storage configuration

The necessary storing of Proxy Granting Tickets PGT for proxy functionality can be configured

Onto the filesystem

example file storage source code

Advanced features

Only check authentication (gateway)

The possibility of using the CAS gateway feature (see http://www.ja-sig.org/wiki/display/CAS/gateway)

example gateway source code

Handle logout requests from the CAS server

Support for central logout (Single Sign Out) was added in release 1.0.0.

phpCAS::handleLogoutRequests();

By default phpCAS by default only handles requests that emanate from the CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). Failure to restrict SAML logout requests to authorized hosts could allow denial of service attacks where at the least the server is tied up parsing bogus XML messages.

To disable access control on logout requests, use: 

phpCAS::handleLogoutRequests(false);

The hosts allowed to send logout requests can also be passed in an array which might be usefull in with clustered cas servers:

phpCAS::handleLogoutRequests(true, array("server1.domain.edu", "server2.domain.edu"));

example single sign out source code

SAML Protocol with Attribute Release

An advanced exmaple using the SAML protocol with attribute release and single logout.

example advanced SAML source code

Custom validation URLs

The following example shows how to configure a non-standard url for ticket validation. This feature is supported in phpcas since version 1.1.0RC2. The validation urls can be set for service, proxy and saml validation.

example custom url source code