CAS

This module provide single sign-on capability for your Drupal site by implementing the CAS protocol.

When using this module, local Drupal user accounts are still used, but the authentication process is not handled by Drupal's standard login form. Instead, users are redirected to your institution's CAS server to collect credentials. Your Drupal site just receives the username (and optionally some other attributes) from the CAS server after a successful authentication.

This module does not allow your site to act as a CAS server for other websites. There is a separate module that provides that support.

Here are some features of this module:

• Supports integration with CAS servers that implement protocol version 1.x, 2.x, 3.x.
• Optionally automatically register users that log in via CAS for the first time.
• Optionally force anonymous users to authenticate via CAS for a specific set of pages by path.
• Optionally configure Drupal's log out behavior to also end a user's CAS session.
• Optionally use your Drupal site as a CAS proxy, allowing you to authenticate to other services on behalf of the user.
• Optionally assign roles and field values to user accounts based on CAS attributes using the CAS Attributes module.
• For developers, there's many events you can subscribe to in a custom module to influence many behaviors of the login process.

Installation & Versions

Please refer to the README file for specific installation and configuration instructions.

• 3.0.x supports Drupal 10.3.x, 10.4.x, 11.0.x and 11.1.x versions
• The 8.x-1.x, 2.0.x, 2.1.x, 2.2.x, 2.3.x branches no longer receive updates.

Updating to CAS 3.0

• While still on Drupal 10, update your site to CAS 2.3.2. This is very important because starting with CAS 3.0.0, old (post)update functions are removed.
• Require drupal/cas:^3.0 with Composer
• If you have custom code that interacts with the CAS module, you may need to make some updates. There are some tiny backwards compatibility breaking changes that require your attention:
  • The type of value returned by CasLoginException::getCode() was changed from integer to enum of type CasLoginExceptionType. If your code calls this method, you should adapt. If you still need the integer value, you can do something like
    <?php
    $codes = CasLoginExceptionType::cases();
    $code = array_search($exception->getCode(), $codes, TRUE);
    ?>
  • The parameter of CasUserManager::getCasUsernameForAccount() is now strict typed as integer. Make sure you cast the parameter to an Integer before is passed to the method:
    <?php
    $account = ...;
    $uid = (int) $account->id();
    $name = \Drupal::service('cas.user_manager')->getCasUsernameForAccount($uid);
    ?>
  • The CasServerConfig::setProtocolVersion() setter accepts now a CasProtocolVersion enum case as parameter instead of a string. Same, the CasServerConfig::getProtocolVersion() getter returns now a CasProtocolVersion enum case instead of a string. If needed, get the server version as a legacy string: CasServerConfig::getProtocolVersion()->value.
  • The CasServerConfig::setHttpScheme() setter accepts now a HttpScheme enum case as parameter instead of a string. Same, the CasServerConfig::getHttpScheme() getter returns now a HttpScheme enum case instead of a string. If needed, get the HTTP scheme as a legacy string: CasServerConfig:: getHttpScheme()->value.
  • The CasServerConfig::setVerify() setter accepts now a SslCertificateVerification enum case as parameter instead of an integer. Same, the CasServerConfig::getVerify() getter returns now a SslCertificateVerification enum case instead of an integer. If needed, get the certificate verification scheme as a legacy integer: CasServerConfig:: getVerify()->value.
• You can now update your site to Drupal 11.
• After updating to CAS 3.0, prepare for the next CAS version by replacing the deprecated code. Check https://www.drupal.org/node/3462792 to learn what is deprecated in CAS 3.0 and adapt your code.

Security Note

It's critical that you ensure your site is not vulnerable to Host header injection attacks. There is documentation on how to protect against such attacks.

Dependencies

The light-weight External Auth module is required as it facilitates the mapping of CAS usernames to Drupal usernames.

CAS Attributes Many CAS servers expose a set of attributes (e.g. email, name, etc) for each user during the login process. This module does not use these attributes by default, aside from specifying which attribute to pull a user's email from during auto-registration. To make full use of these attributes, use the companion CAS Attributes module, which allows mapping these attributes to user fields, assigning roles based on the value of some attribute, and exposing these attributes as Drupal tokens for other uses like Webforms.