<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue style='word-wrap: break-word;-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Regarding what Shawn wrote: <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Is this worth a long distance phone call
or chat session? I’m at my office now and would be happy to talk
you through the configuration I’m talking about if you’d like. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I’ve been trying to figure out a way
to make the login test happen as you suggest, but there are trade-offs for
content creators. Any chance you’d be willing to collaborate. I’d
be extremely interested in folding the mod you’re talking about into the
cas module if we can hammer out the details. Basically the rub for me is how to
implement it in such a way that the drupal log out button still
works. My content creators need this to be able to see what an
anonymous user sees. (and they log in via cas) <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Contact me directly (off list) if you’d
like to do this. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><a href="mailto:metzlerd@metzlerd.com">metzlerd@metzlerd.com</a><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Regarding your site you should be
configured in the following manner: <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> Use drupal as cas repository –
unchecked. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> Hijack users – checked. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Go into block administration and enable the
login block or enable the cas login menu. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Then you should be able to do either cas
or drupal logins. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><br>
Dave<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
support-bounces@drupal.org [mailto:support-bounces@drupal.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Scott Matthews<br>
<b><span style='font-weight:bold'>Sent:</span></b> Thursday, February 07, 2008
10:29 AM<br>
<b><span style='font-weight:bold'>To:</span></b> Hainsworth, Shawn<br>
<b><span style='font-weight:bold'>Cc:</span></b> <st1:PersonName w:st="on">support@drupal.org</st1:PersonName>;
Ron Trevarrow<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [support] Drupal CAS
Configuration</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Yes. We're making a customized version based on the cas module.<o:p></o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>We basically do not want the user to have to forward to the login page.
<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>So David, I tried your suggestion and what I'm seeing is:<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I go to to the admin page not being authenticated and attempt to login
as my admin<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>when I submit, the resulting page is not the admin page with the
options available to me but rather my site's home page with the url as '
http://[domain_name]/?destination=admin '<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>any Ideas?<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>On Feb 7, 2008, at 1:24 PM, Hainsworth, Shawn wrote:<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
<br>
<o:p></o:p></span></font></p>
<div>
<div id=idOWAReplyText28187>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'>I want to jump in here. The Drupal
user might not always exist. There are cases where CAS will authenticate
a user that Drupal does not yet have in its User table. I know the module
allows for creating new users with a configurable set of default roles, and we
will need to use this functionality.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Also, the security model for this application is different
than Drupal's typical security model. Typically, Drupal protects resources
based on roles. So, i f you attempt to access a specific resource, Drupal
will check if that resource is protected, and then check if the user is
authenticated, and what their role is. The Drupal-CAS module
also allows a set of URL patterns to be defined which will require
authentication.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>We are not requiring authentication based on resource or URL
path. Rather, any page on the site may be accessed anonymously.
However, there are additional features that are available if you are logged in.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Therefore, we are modifying the module to perform a CAS
gateway check at the beginning of the user's session. So, Drupal
authentication will only be used for administrators and content creators.
Users of the site will not use Drupal authentication. Rather, they will
use the CAS gateway check at the beginning of their session.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>s.</span></font><o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</span></font></b><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Scott
Matthews [<a href="mailto:smatthews@optaros.com">mailto:smatthews@optaros.com</a>]<br>
<b><span style='font-weight:bold'>Sent:</span></b> Thu 2/7/2008 1:00 PM<br>
<b><span style='font-weight:bold'>To:</span></b> <a
href="mailto:support@drupal.org">support@drupal.org</a><br>
<b><span style='font-weight:bold'>Cc:</span></b> Hainsworth, Shawn; Ron
Trevarrow<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [support] Drupal CAS
Configuration</span></font><o:p></o:p></p>
</div>
<div>
<p style='margin-bottom:12.0pt'><font size=2 face="Times New Roman"><span
style='font-size:10.0pt'>Yes, I already have the accounts stored in Drupal for
the people in <br>
question. As for CAS, since I'm still in development I'm using the <br>
basic functionality of the server for now where you can use any user <br>
and the password is the username.<br>
<br>
Yes, to some degree I do want both to work (i.e. allowing the admin <br>
for Drupal to login without CAS authentication while other arbitrary <br>
users are validated from CAS.<br>
<br>
<br>
<br>
Scott Matthews<br>
Senior Developer<br>
Optaros, Inc.<br>
<a href="mailto:smatthews@optaros.com">smatthews@optaros.com</a><br>
<br>
<br>
<br>
<br>
<br>
On Feb 7, 2008, at 12:52 PM, Metzler, David wrote:<br>
<br>
> I'm the module maintainer, and can certainly help out here.<br>
><br>
> If you're using a module where just a few should be authenticated by <br>
> cas, there's a couple of options here, but a couple of questions <br>
> will be useful:<br>
><br>
> 1.) have you precreated the drupal accounts for these people? You <br>
> don't have to, but it'll be helpful for me to give advice.<br>
><br>
> 2.) Are you looking for both drupal auth and cas auth to work?<br>
><br>
> Dave<br>
><br>
><br>
> -----Original Message-----<br>
> From: support-bounces@drupal.org on behalf of Scott Matthews<br>
> Sent: Thu 2/7/2008 09:15<br>
> To: <st1:PersonName w:st="on">support@drupal.org</st1:PersonName><br>
> Cc: Shawn Hainsworth<br>
> Subject: [support] Drupal CAS Configuration<br>
><br>
><br>
> <br>
> Has anyone had much experience with the
Drupal CAS module? I'm<br>
> attempting to use it for an SSO implementation by integrating it into<br>
> a site that I am developing where there is a central CAS server that<br>
> will manage the users for all other sites we have. This Central CAS<br>
> server will have access to a central repository of user login<br>
> informaiton.<br>
><br>
><br>
> The issue that I'm seeing is that there are
a few specific users that<br>
> I have that will be maintained by Drupal and when I attempt to Login<br>
> as those users, it does not seem to authenticate me. Is this
possible<br>
> to have it set up this way? Am I barking up the wrong tree?<br>
> --<br>
> [ Drupal support list | <a href="http://lists.drupal.org/">http://lists.drupal.org/</a>
]<br>
><br>
> <winmail.dat>--<br>
> [ Drupal support list | <a href="http://lists.drupal.org/">http://lists.drupal.org/</a>
]</span></font><o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</div>
</body>
</html>