Home / server / Questions / 710559
In Process
David R.
Asked: 2015-08-04 10:28:23 +0800 CST

How can I use mod_auth_cas to authenticate Moodle?

  • 772

What I want

For various reasons, I'd like to see the following authentication procedure work:

  • go to moodle.blah.bla
  • Apache asks for your login information via mod_auth_cas
  • Once authenticated, Apache sends you to moodle.blah.bla/login/index.php?authCAS=CAS
  • Moodle then sends you to your CAS server which is already authenticated
  • CAS sends you back to moodle as an authenticated user.

What I have

Currently I have confirmed that mod_auth_cas does authenticate my user. I also have successfully authenticated Moodle using their CAS plugin.

The problem

Where I am stuck is putting the two things together.

First, once mod_auth_cas authenticates you, I'm not sure how to send the user on to the correct Moodle url.

Second, when I manually browse to the Moodle CAS auth link, it ends up sending me into a redirect loop.

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

And Chromium:

ERR_TOO_MANY_REDIRECTS

My thoughts on the problem

For the first issue, I would think that I'd want to redirect only when a specific header is set. Except that I think the header would stick around until the end of the session, thus triggering a redirect for every single page...

For the second issue, is the ticket from mod_auth_cas getting invalidated and thus apache is trying to send me back to the cas server? Even though we just came from there... Which would be a redirect loop.

Any other suggestions on how to get his working?

Server config and specs

My server is running:

In my vhost:

CASValidateServer Off
CASLoginURL https://casserver/cas/login
CASValidateURL https://casserver/cas/serviceValidate
<LocationMatch "/.*">
AuthType CAS
require valid-user
</LocationMatch>

Moodle is configured to use CAS 2.0.

The CAS server is running 4.x.

apache-2.4

2 Answers

  1. Stop trying to use mod_auth_cas with Moodle. Use the CAS plugin in Moodle on its own.

    Why are you trying to put the two things together? Moodle's own CAS plugin is quite sufficient on its own.

    I believe that when you have mod_auth_cas and Moodle's CAS, the CAS parameters get used by mod_auth_cas and are either unavailable to Moodle's CAS or have already been used by mod_auth_cas. Since CAS tokens are single-use, either case would mean that Moodle's CAS has no chance of working.

    If you can disable mod_auth_cas for /login/index.php?authCAS=CAS.*, you might be able to make this work. Getting that <LocationMatch ...>to match everything except the relevant moodle AuthCAS=CAS URLs is a bit beyond what I want to figure out right now, though.

    Another possibility is CASGateway /login/ to tell mod_auth_cas to allow anonymous access to the /login/ directory (so that Moodle's CAS might be able to take over in there). I think that works by directories, not URLs, but if that works you could try CASGateway /login/index.php?authCAS=CAS to limit it further.

    • 0

  2. You might check mod_lua since it permits writing login hooks in lua language. That might give you a way to programatically add what is missing.

    • 0