Using CAS Server with Moodle

By definition, Single Sign On should not require users to enter their login information more than once. If they are being forced to do so, it may well be a configuration error.

Using the gateway feature on the CAS module (not CAS Server) should redirect users to the automatic CAS Server login, but the users do explicitly need to take this step if the automated redirect did show them logged in already.

Each new service (site) visited will require returning to the CAS Server to authenticate against the CAS Server for that given service. If the user is logged in using SSO this will be transparent and automatic already. They should not be logging in to the original service site, but instead being redirected to the caslogin on the CAS server.

Please provide step by step instructions on how to reproduce the situation you are trying to avoid.

I think I'm understanding this a bit more now:

"Each new service (site) visited will require returning to the CAS Server to authenticate against the CAS Server for that given service. If the user is logged in using SSO this will be transparent and automatic already. They should not be logging in to the original service site, but instead being redirected to the caslogin on the CAS server."

To start with, users at my Drupal site have logged on using Drupal. Not CAS Server. So when they navigate to a the Moodle site (a service site), they have the option to login with CAS (this part I could eliminate by only allowing CAS login, less choices), and this then directs them to the Drupal login page, to login using the CAS Server.

"If the user is logged in using SSO this will be transparent and automatic already."

But they are not, they only have a Drupal login session established. So they then login at the form, and it works fine, redirects them to their Moodle destination.

So I'm wondering, should set up a CAS Server site 1st (just for authentication) and then setup a 2nd Drupal site as a CAS service site along with the moodle CAS service site?

Drupal CAS Server
|
/\
Drupal Moodle

I made a quick video of my current configuration / login process:
I made a quick video of my current configuration / login process:

https://www.youtube.com/watch?v=rFjBsUSw6Uk

Looking at your video, I'm not entirely sure why you're being asked to log in twice - do you have a servie configured and SSO turned on for it? Once you're logged into the CAS Server Drupal site, you should not be asked to login again. The user you are using is a CAS user? You're not accidentally logging into two different accounts?

It shouldn't be necessary, but you could try logging into cas/login first to ensure you do have an SSO session (and make sure the service from Moodle is setup for it too).

The site stopping at the cas login on your return from Moodle means that you don't have an SSO when you arrive back there. It should be bouncing you back to the service immediately if you have an SSO session active, so clearly something is mis-configured or you're not keeping your cookie, or some other thing.

I know Moodle isn't Drupal (duh), but the CAS module for Drupal sites has an automatic gateway feature that if similarly implemented on Moodle would mean you also don't need to click "log into cas" on the Moodle site. A quick search would indicate that adding "gateway=true" to the link, or slightly modifying the code to ensure gateway is sent? Apparently it uses phpCAS which does have gateway capabilities. Very much out of scope here.

Changing this to support request because the feature you are asking for actually exists and should be working - not quite auto-submit, but it should be auto-confirming your SSO session and passing you back transparently to the end user.

Haven't heard back, but going to assume you figured it and will be marking fixed in next week.

The most important part for an already logged in user to not be prompted for credentials again is including "gateway=true" parameter along side the service parameter when calling "cas/login"

Hi ELC - was away and sick.

Yes! This is what I discovered about logging on to Drupal - using the "cas/login" path. When I did this, my user passed right on into Moodle (yes is was properly configured to work with CAS server) without a hitch.

Soo, think I this basically is a support request too. I will check about the "gateway=true"

Not that you need care but I'm using this authentication plugin for the Moodle side:
CAS server (SSO) with user-attribute release
https://moodle.org/plugins/auth_casattras/

It works well with this module, able to map attributes (first, last, city, phone)

It dawns on me I will need to make "cas/login" my main path for logging on at the drupal site. Not /user
Some simple re-direction should do it.

Thank you for hearing this.

I hope you feeling better! Excellent news that you've fixed it, so I'll close this one off as fixed.

It should be noted that you don't need to bump your users over to the cas/login all the time, but it is necessary for the users to visit it as part of their use of SSO/CAS when trying to use the CAS Server to log into a service. There are timeouts involved too.

If users are log in directly to "cas/login" (and the site is configured to grant TGT), users will be granted a Ticket Granting Ticket (TGT) with the configured timeout. Users would then need to navigate to the site they want to log into within that timeout, and get redirected back to the "cas/login" with the service url from the site they're trying to log into. That's not a particularly straight forward sequence of events.

The following user flows work well for my applications:

Also, here's the reference manual for the CAS protocol:
https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol.html

Automatically closed - issue fixed for 2 weeks with no activity.