Hello all,
Here are my findings for enabling SSO via CAS using web2py, IIS and
isapi-wsgi. My main question is a feature request, hopefully someone will
come up with an even simpler or smarter solution.
What i've done is creating a simple CAS server application.
In a newly created application i've added to the model:
| auth.define_tables(username=True)
| ...
| auth.settings.cas_domains.append('domain')
| if request.env.get('remote_user','') != '':
| auth.user =
auth.get_or_create_user(dict(username=request.env['remote_user']))
So now i have an application that automatically logs on anyone which is
validated via IIS with integrated security. This requires a setup using
ISAPI-WSGI (1) behind IIS. I've done it with a wsgi server at the root.
Directory security for this IIS website is set to Integratied Windows
Authentication (and no anonymous access is allowed). Now i've altered the
setup script to add a virtual directory 'cas' to host the same web2py
server, and therefore also the same application but allowed anonymous access
and set a domain user for anonymous access but no integrated windows
authentication. So now i have the web2py application hosted at the places:
1. server/application - which forces integrated security
2. server/cas/application - which allows only anonymous access
Next up is the cas client. So i've created another application that is a CAS
consumer which typically runs localhost, or anywhere for that matter. Which
was setup using:
| my_cas_provider = 'http://server/application/default/user/cas'
| auth = Auth(db,cas_provider=my_cas_provider)
And this is where i missed a parameter as you will see in a later stage.
Now, when a user logs in on this application using chrome or ie he can
simply press the login button, and is redirected to the server where he is
automatically logged in using remote_user and is redirected back to the user
(without entering anything) only to see an errorticket on screen because the
validation of the cas ticket can't be completed. That's because the server
(like wget) doesn't support ntlm or anything that fancy, so can't reach the
"server/application". My guess would be to set my_cas_provider to '
http://server/cas/application/default/user/cas' but then the user has to
enter credentials again instead of having SSO.
So i finally came up with this:
In the client *after* auth.define_tables(username=True) is called, add the
following:
| cas_check_url = auth.settings.login_form.cas_check_url
| cas_check_url = cas_check_url.replace('application','cas/application')
| auth.settings.login_form.cas_check_url = cas_check_url
Now, we have set the validate routine to use the anonymous enabled IIS
website to validate the ticket whereas the user simply uses the SSO based on
the integrated security. Best of both!
Best of all, now you can have linux based web2py servers with windows SSO
using CAS.
Thanks Massimo and others for making this possible!
Now, my request is this: is there a smarter/easier way to do this - mostly
focussed on the order in which the settings in the model have to be made.
The login form is recreated using a CasAuth instance in de define_table
method. Not something i thought very intuitive.
I'm eager to see your opinions on this.
With kind regards,
Remco Boerma
(1) isapi-wsgi: http://code.google.com/p/isapi-wsgi/
