Feature #3940

CAS SSO Authentification

Added by Hubert Borderiou over 8 years ago. Updated almost 4 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
SCRUM pts - complexity:


Enable the CAS SSO auth for Chamilo



Updated by Hubert Borderiou over 8 years ago

Related to Feature #3351 -
Use the PHP CAS api 2.0 for the moment.


Updated by Yannick Warnier over 8 years ago

  • Status changed from New to Needs more info
  • Assignee set to Hubert Borderiou
  • Target version set to 1.9 Stable
  • % Done changed from 0 to 70

I just pushed in Chamilo the CAS authentication system last Sunday, contributed by CBlue's Noël Dieschburg. It should be ready for testing in the development repository but I don't have any CAS atrchitecture to test it (see a "CAS" label in admin options).


Updated by Hubert Borderiou over 8 years ago

Can you remind me where the repository is ?
The date I find on are all 5 month old :-(
I'll be able to test it with a 3.0 (2.0 compliant) CAS SSO system.
(I did the patch for Dok for a 2.0 CAS SSO)


Updated by Yannick Warnier over 8 years ago

You need to pick "Classic" in the dropdown box. hg clone


Updated by Hubert Borderiou over 8 years ago

I've download the version today, and I did some minor change to be able to test it :
File main/auth/cas/authcas.php
Line 17

@function cas_is_authenticated() {
global $cas_auth_ver, $cas_auth_server, $cas_auth_port, $cas_auth_uri;
global $logout;

if (!is_object($PHPCAS_CLIENT) ) 
if (!class_exists(phpCAS)) require_once("lib/CAS.php"); // ADDED
// ***************************************************************************
// seems that datas are not read from the database, I put info hard coded just for testing
// ***************************************************************************
// phpCAS::client($cas_auth_ver,$cas_auth_server,$cas_auth_port,$cas_auth_uri);
// die("phpCAS::client($cas_auth_ver,$cas_auth_server,$cas_auth_port,$cas_auth_uri);");
$auth = phpCAS::checkAuthentication();@

I call page :
- I reach the cas authentification page of the university, it's ok
- I enter my login/passowrd, ok
- I'm registered in Chamilo, ok
My account has been created just with my login, because CAS doesn't bring other info, and I'm not connected to a LDAP server.
So it's fine.

Is the parameter CasUserAddActivateTitle is for creating automatically the new user auth by CAS, it doesn't work. To YES or NO, my CAS user has been created.

It needs to be finished, but the API works fine.
Who'll do it ? I can do it if you want.
There is the "questions category" patch I can do too, because I already did it for my platform, and it has been used by teachers since several months.


Updated by Hubert Borderiou almost 8 years ago

Hi, I work on CAS authentification to finalize it.
There are some fields in the CAS configuration I'm not sure to understand :
- cas_add_user_login_attr
- cas_add_user_email_attr
- cas_add_user_firstname_attr
- cas_add_user_lastname_attr

I guess these fields are used to create the user account with LDAP info when he logs with cas, and has no account on the platform. I'm going to work without LDAP for the moment.

I don't see in the add-user page, the external auth password menu.


Updated by Hubert Borderiou almost 8 years ago

CAS works as it is.
But i have some questions about the sso authentification before I can go further.

There is a sso.class.php, but CAS don't use it.
I'd like to work on CAS and LDAP and I don't know what is up to date, and what is old version.

A little help is needed... ^^


Updated by Yannick Warnier over 7 years ago

  • Target version changed from 1.9 Stable to 1.9 Beta

Updated by Yannick Warnier over 7 years ago

  • Status changed from Needs more info to Assigned

Hi Hubert,

The sso.class.php is the way to go. Implementing any authentication method should really use this class as a base. This way, we ensure it is easy to implement new models and integrate them into Chamilo. However, CAS and LDAP were'nt developed that way (maybe Shibboleth either - copying Laurent about that).
This might be because I haven't been strict enough (I was busy with the promotion of Chamilo), but I will try to enforce that for the next versions.
I think it's a good idea to move this task to 1.10 so we remove it as an obstacle on our way to 1.9...


Updated by Yannick Warnier over 7 years ago

  • Target version changed from 1.9 Beta to 2.0

I am a man of my word (even though I intended to do that in one update instead of two)


Updated by Laurent Opprecht over 7 years ago

I am afraid Shibboleth was done outside of the sso class. Could try to see if we can integrate in the next release - even though Shibboleth is a bit peculiar (authentication is done by the web server)


Updated by Yannick Warnier almost 4 years ago

  • Target version changed from 2.0 to 3.0

Also available in: Atom PDF