How can I use mod_auth_cas to authenticate Moodle?

Question

What I want

For various reasons, I'd like to see the following authentication procedure work:

go to moodle.blah.bla
Apache asks for your login information via mod_auth_cas
Once authenticated, Apache sends you to moodle.blah.bla/login/index.php?authCAS=CAS
Moodle then sends you to your CAS server which is already authenticated
CAS sends you back to moodle as an authenticated user.

What I have

Currently I have confirmed that mod_auth_cas does authenticate my user. I also have successfully authenticated Moodle using their CAS plugin.

The problem

Where I am stuck is putting the two things together.

First, once mod_auth_cas authenticates you, I'm not sure how to send the user on to the correct Moodle url.

Second, when I manually browse to the Moodle CAS auth link, it ends up sending me into a redirect loop.

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

And Chromium:

ERR_TOO_MANY_REDIRECTS

My thoughts on the problem

For the first issue, I would think that I'd want to redirect only when a specific header is set. Except that I think the header would stick around until the end of the session, thus triggering a redirect for every single page...

For the second issue, is the ticket from mod_auth_cas getting invalidated and thus apache is trying to send me back to the cas server? Even though we just came from there... Which would be a redirect loop.

Any other suggestions on how to get his working?

Server config and specs

My server is running:

Ubuntu 14.04
Apache 2.4
http://packages.ubuntu.com/trusty/libapache2-mod-auth-cas
Moodle 2.8+

In my vhost:

CASValidateServer Off
CASLoginURL https://casserver/cas/login
CASValidateURL https://casserver/cas/serviceValidate
<LocationMatch "/.*">
AuthType CAS
require valid-user
</LocationMatch>

Moodle is configured to use CAS 2.0.

The CAS server is running 4.x.

freiheit · Answer 1 · 2015-08-06T20:56:16.557

Stop trying to use mod_auth_cas with Moodle. Use the CAS plugin in Moodle on its own.

Why are you trying to put the two things together? Moodle's own CAS plugin is quite sufficient on its own.

I believe that when you have mod_auth_cas and Moodle's CAS, the CAS parameters get used by mod_auth_cas and are either unavailable to Moodle's CAS or have already been used by mod_auth_cas. Since CAS tokens are single-use, either case would mean that Moodle's CAS has no chance of working.

If you can disable mod_auth_cas for /login/index.php?authCAS=CAS.*, you might be able to make this work. Getting that <LocationMatch ...>to match everything except the relevant moodle AuthCAS=CAS URLs is a bit beyond what I want to figure out right now, though.

Another possibility is CASGateway /login/ to tell mod_auth_cas to allow anonymous access to the /login/ directory (so that Moodle's CAS might be able to take over in there). I think that works by directories, not URLs, but if that works you could try CASGateway /login/index.php?authCAS=CAS to limit it further.

Like I said, for various reasons. They're too long to get into in comments, and not relevant to the actual question. I certainly would rather only use Moodle's plugin. But for my purposes, that's not enough. — David R., Aug 06 '15 at 16:41

score 0 · Answer 2 · answered Jul 09 '16 at 23:14

0

You might check mod_lua since it permits writing login hooks in lua language. That might give you a way to programatically add what is missing.

answered Jul 09 '16 at 23:14

Darko Miletic

195
1
1
8