========================================================================MOD_AUTH_CAS 1.2 README========================================================================Apache CAS Authentication Module for the JASIG/Apereo CAS Server.========================================================================LICENSE========================================================================Licensed under the Apache License, Version 2.0 (the "License");you may not use this file except in compliance with the License.You may obtain a copy of the License athttps://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.========================================================================INTRODUCTION========================================================================The purpose of this module is to allow an Apache web server to interactwith an authentication server that conforms to the CAS version 1 or 2protocol or SAML protocol as used by the JASIG/Apereo CAS Server.At the time of this writing, the CAS protocol specification is here:https://apereo.github.io/cas/development/protocol/CAS-Protocol-Specification.html========================================================================Getting Started========================================================================--------------------------------------------------------------------Linux Distribution Packaging--------------------------------------------------------------------mod_auth_cas is available in most major Linux distributions, includingDebian, Ubuntu, Fedora, and is available from EPEL for CentOS and RHEL.--------------------------------------------------------------------Building from Source--------------------------------------------------------------------The following development libraries and utilities must be installed:* OpenSSL - 0.9.8c or higher* Apache Portable Runtime - 1.5.0 or higher* Apache Portable Runtime Utilities - 1.3.0 or higher* Apache Web Server - 2.4 or higher* libcurl - 7.18.2 or higher* libpcre2 - 10 or higherDownload the distribution via git or tarball.  Because git does notpreserve timestamps, autoconf may determine it is necessary to bootstrapthe project.  If building from source, please start with:autoreconf -ivfBuild is performed with the standard Autoconf incantation:./configure && make && sudo make installEdit your Apache configuration to load the mod_auth_cas module:LoadModule auth_cas_module /path/to/mod_auth_cas.soSet a few required parameters in your Apache configuration:CASCookiePath /var/cache/apache2/mod_auth_cas/CASLoginURLhttps://login.example.org/cas/loginCASValidateURLhttps://login.example.org/cas/serviceValidateProtect a "Location" or "Directory" block in your Apacheconfiguration:<Location /secured>AuthType CASRequire valid-user</Location>If attribute-based authorization is also desired, specify cas-attributename:value in your Require rule (please note: both attribute name and value arecase-sensitive):CASCookiePath /var/cache/apache2/mod_auth_cas/CASLoginURLhttps://login.example.org/cas/loginCASValidateURLhttps://login.example.org/cas/samlValidateCASValidateSAML On<Location /secured>AuthType CASRequire cas-attribute edupersonaffiliation:staff</Location>Both the CAS 2.0 and SAML 1.1 protocols support including additional attributesin the CAS validation response, which may also be added as HTTP headers (seeCASAttributePrefix and CASAttributeDelimiter). This example uses the SAMLprotocol and requires that the 'edupersonaffiliation' attribute is set to'staff'.========================================================================NEW FEATURES AND FUNCTIONS IN THIS RELEASE========================================================================* OpenSSL 1.1 support.* CASv2 attributes.* CASPreserveTicket, which allows tickets to pass through when a valid session exists.* CASGatewayCookieDomain, to set the gateway cookie domain.* Use a dynamic buffer to store the CAS validation response.* Various bug and documentation fixes.https://github.com/apereo/mod_auth_cas/milestone/6?closed=1========================================================================KNOWN ISSUES========================================================================* Autoconf does not work well on code freshly checked out of git.  Autoconf artifacts must be rebuilt using `autoreconf -ivf` .========================================================================KNOWN LIMITATIONS========================================================================These limitations are known to exists in this release of the software:* CAS Proxy Validation is not implemented in this version.* CAS Ticket Validation can only be performed over an SSL connection.  The CAS protocol does not explicitly require this, but to not do so  leaves this system open to a man-in-the-middle attack.* CAS single sign out is currently not functional and disabled.  It  is only safe to use in the case where all requests are GET and not  POST (the module inadvertently 'eats' some content of the POST  request while determining if it should process it as a SAML logout  request).* Reports of slow performance on some systems (particularly  virtual machines) have been reported.  This is related to the  entropy that is gathered when creating a session cookie for  the end user.  To combat this, there are 3 solutions.  The  first is to upgrade the version of the Apache Portable Runtime  on your system to >= 1.3.0.  In that version, entropy is gathered  from a nonblocking source.  The second method would be to install  a package such as rng-tools and feed random data from /dev/urandom  to /dev/random("-r /dev/urandom").  The  last way is to reduce  the size of the CASCookieEntropy setting, reducing the demand on  the pool.* Win32 support has been dropped (but not removed) due to lack of  development resources, and seemingly minimal community usage.  You are welcome to try it, but YMMV for success.========================================================================Configuration========================================================================First, you must tell Apache to load the module.  In your httpd.conf,add:LoadModule auth_cas_module /path/to/mod_auth_cas.soThen, in the location(s) you want to protect, use the followingdirective:AuthType CASBe sure to set authorization parameters in the locations youare protecting(e.g. 'require valid-user', 'require group foo')The following are valid configuration options and their default:Valid Server/VirtualHost Directives-----------------------------------Directive: CASVersionDefault:2Description:The version of the CAS protocol to adhere to (1 or 2).This affects whether Gateway mode is available and howthe CAS validation response is parsed.Directive: CASDebugDefault:OffDescription:Enable or disable debugging mode for troubleshooting.  Pleasenote that LogLevel must be set to Debug for the VirtualHost inorder for these logs to be visible.Directive:CASValidateDepthDefault:9Description:This directive will set the maximum depth for chained certificatevalidation.  The default (according to OpenSSL documentation) is 9.Directive: CASCertificatePathDefault:/etc/ssl/certs/Description:The path to the X509 certificate of the Certificate Authority forthe server in CASLoginURL and CASValidateURL.  This may be eithera file, or a directory containing the certificate files linked toby their hashed names.Directive: CASLoginURLDefault:NULLDescription:The URL to redirect users to when they attempt to access a CASprotected resource and do not have an existing session.  The'service', 'renew', and 'gateway' parameters will be appended tothis by mod_auth_cas if necessary.  Include 'http[s]://...'Directive: CASValidateURLDefault:NULLDescription:The URL to use when validating a ticket presented by a client inthe HTTP query string (ticket=...).  Must include 'https://' andmust be an HTTPS URL.Directive: CASProxyValidateURLDefault:NULLDescription:The URL to use when performing a proxy validation.  This is currentlyan unimplemented feature, so setting this will have no effect.Directive: CASRootProxiedAsDefault:NULLDescription:This URL represents the URL that end users may see in the event thataccess to this Apache server is proxied.  This will override theautomatic generation of service URLs and construct them using thisprefix.  As an example: If the site being protected ishttp://example.com/and the Apache instance of this server ishttp://internal.example.com:8080,setting CASRootProxiedAs tohttp://example.com would result in properservice parameter generation.Directive: CASCookiePathDefault:/dev/nullDescription:When users first authenticate to mod_auth_cas with a valid service ticket,a local session is established.  Information about this session (theusername, time of creation, last activity time, the resource initiallyrequested, and whether or not the credentials were renewed) is storedin this directory.  This location should be writable by the web server ONLY.Any user that can write to this location can falsify authentication informationby creating a fake data file.NOTE : Some distributions purge the contents of /tmp/ on a reboot, includinguser created directories.  This will prevent mod_auth_cas from storingcookie information until that directory is created.  To avoid this, tryusing a different location, such as /var/cache/apache2/mod_auth_cas/Directive: CASCookieEntropyDefault:32Description:When creating a local session, this many random bytes are used tocreate a unique session identifier.  Using large values for thisfield may result in delays when generating session IDs if notenough entropy is available.Directive: CASTimeoutDefault:7200 (2 hours)Description:This is the hard limit, in seconds, for a mod_auth_cas session (whetherit is idle or not).  When a session has reached this age and a newrequest is made, the user is redirected to the CASLoginURL toobtain a new service ticket.  When this new ticket is validated,they will be assigned a new mod_auth_cas session.  Set this value to '0'in order to allow a non-idle session to not expire.Directive: CASIdleTimeoutDefault:3600 (1 hour)Description:This is a limit, in seconds, of how long a mod_auth_cas session can be idle.When a request comes in, if it has been inactive for CASIdleTimeoutseconds, the user is redirected to the CASLoginURL to obtain a newservice ticket.Directive: CASCacheCleanIntervalDefault:1800 (30 minutes)Description:This is the minimum amount of time that must pass inbetween cachecleanings.  When a new ticket is issued, or when an expired sessionis presented, the time of the last cache clean is compared againstthis value.  If CASCacheCleanInterval seconds have passed since thelast cleaning, then all files in CASCookiePath are examined and ifthey have expired, they are removed.  This is merely to prevent thefile system from becoming excessively cluttered.Directive:CASCookieDomainDefault:NULLDescription:Specify the value for the 'Domain=' parameter in the Set-Cookie header.Directive:CASCookieSameSiteDefault:NULLDescription:Specify the value for the 'SameSite=' parameter in the Set-Cookie header.Allowed values are 'None', 'Lax', and 'Strict'.Directive:CASCookieHttpOnlyDefault:OnDescription:Set the optional 'HttpOnly' flag for cookies issues by mod_auth_cas.Set the HttpOnly flag as described in in RFC 6265.  This flag prevents themod_auth_cas cookies from being accessed by client side Javascript.Directive:CASCookieSecureDefault:AutoDescription:Set the optional 'Secure' attribute for cookies issued by mod_auth_cas.Set the Secure attribute as described in in RFC 6265. This flag prevents themod_auth_cas cookies from being sent over an unencrypted HTTP connection.By default, mod_auth_cas sets the 'Secure' attribute depending on information aboutthe connection (the 'Auto' option). The options 'On' and 'Off' can be used to overridethe automatic behaviour.Directive:CASAuthoritativeDefault:OffDescription:This directive determines whether an optional authorization directive(see 'Require cas-attribute') is authoritative and thus binding orif other authorization modules will also be applied.'On' means authoritative, 'Off' means not authoritative.NOTE: This directive is unavailable with Apache 2.4. See the RequireAny,RequireNone, and RequireAll directives instead.Directive:CASValidateSAMLDefault:OffDescription:If enabled, the response from the CAS Server will be parsed for SAMLattributes which will be associated with the user.  Requires settingCASValidateURL appropriately; typical URLs are of the formhttps://login.example.org/cas/samlValidate.Directive:CASAttributePrefixDefault:CAS_ (Apache < 2.4)CAS- (Apache 2.4)Description:The prefix to use when adding CAS or SAML attributes to the HTTP headers,which will be named <CASAttributePrefix><attr_name>.  CASAuthNHeadermust be set for this directive to be used.NOTE: In Apache 2.4 and newer, headers containing "invalid" characters(including underscores) are silently dropped, so you must set this toa "valid" name containing only alphabetic characters and hyphens.Directive:CASAttributeDelimiterDefault:,Description:mod_auth_cas will set the value of the attribute header (as describedin CASAttributePrefix) to <attrvalue><CASAttributeDelimiter><attrvalue>in the case of multiple attribute values.Directive:CASPreserveTicketDefault:OffDescription:This directive leaves CAS ticket parameters intact when a validsession cookie exists. This helps prevent infinite redirect loops whenCAS protection is being used at multiple levels.Directive:CASGatewayCookieDomainDefault:NULLDescription:Specify the value for the 'Domain=' parameter in the Set-Cookie headerwhen setting the CASGatewayCookie.Valid Directory/.htaccess Directives------------------------------------Directive:CASScopeDefault:OffDescription:Use this directive with an argument as a relative path (e.g. /application/) to specifythe scope for which a mod_auth_cas cookie is valid.  This is beneficial to preventadditional round trips to the CAS server.  Assume someone authenticates to /application/subdir/and then browses to /application/ - without CASScope set, each request would result ina round trip to the CAS server and a new cookie being created (one for each directory).CASScope would set one cookie, which will be presented on access to both directories.Note that if someone accessed /application/ and then /application/subdir/ this would notbe an issue, but that order of access can not be guaranteed.  To disable this feature,the special argument 'Off' will return to per-directory cookie paths for this directoryand subdirectories.Directive: CASRenewDefault:OffDescription:Use this directive with an argument as a relative path (e.g. /application/secure/forhttp://www.example.com/application/secure/*) to force a user to renew theircredentials when accessing that directory.  The argument MUST be a relative path.To disable this requirement, the special argument 'Off' will disable this requirementfor this directory and subdirectories.Directive: CASGatewayDefault:OffDescription:Use this directive with an argument as a relative path (e.g. /application/insecure/forhttp://www.example.com/application/insecure/*) to allow anonymous access to that directory.The argument MUST be a relative path. To disable this feature, the special argument 'Off'will reinstate the requirement for authentication.Directive: CASCookieDefault:MOD_AUTH_CASDescription:The name of the cookie used to store the session ID over HTTP connections.It should be changed if it will interfere with the application protectedby mod_auth_cas.Directive: CASSecureCookieDefault:MOD_AUTH_CAS_SDescription:The name of the cookie used to store the session ID over HTTPS connections.It should be changed if it will interfere with the application protectedby mod_auth_cas.Directive: CASGatewayCookieDefault:MOD_AUTH_CAS_GDescription:The name of the cookie used to store whether or not the user has attemptedto access this resource before.  It should be changed if it will interferewith the application protected by mod_auth_cas.Directive:CASAuthNHeaderDefault:NoneDescription:If enabled, this will store the user returned by CAS in the specifiedHTTP header accessible to your web applications, and any additionalattributes received in headers named according to CASAttributePrefix.This is in addition to the REMOTE_USER environment variable, which isalways set to the CAS user.Directive:CASSSOEnabledDefault:OffDescription:If enabled, this activates support for Single Sign Out within the CASprotocol.  Please note that this feature is currently experimental andmay mangle POST data.Directive:CASScrubRequestHeadersDefault:OffDescription:mod_auth_cas will strip request inbound request headers that may havespecial meaning, such as those set with the CASAttributePrefix or theCASAuthNHeader value.Directive:Require cas-attribute <attribute>:<value>Default:NULLDescription:Use this directive to authorize based on CAS or SAML attributesreturned via the session validation call. Multiple directivesare OR-ed. If directive is present with no attributes defined,the request is declined. If value has spaces, wrap the pair in quotes.See also CASAuthoritative.Directive:Require cas-attribute <attribute>~<value>Default:NULLDescription:Use this form of the directive to authorize based on CAS or SAMLattributes returned via the session validation call. Multipledirectives are OR-ed. If directive is present with no attributesdefined, the request is declined. The value is interpreted as aPerl-Compatible Regular Expression (PCRE) using case-sensitivematching. See also CASAuthoritative.========================================================================CONTACT INFORMATION AND WEBSITE========================================================================We welcome your feedback, suggestions and contributions. Contact usvia email if you have questions, feedback, code submissions,and bug reports.  To reach the development team, send an e-mail to:cas-user [at] apereo [dot] orgGoogle Group link:https://groups.google.com/a/apereo.org/forum/#!forum/cas-user========================================================================