mod_auth_cas
mod_auth_cas copied to clipboard
apereo
Redirection by the CAS Headers
Hi,
I've been using the mod_auth_cas, and tried to execute a redirect by user. In order to do so, I'm trying to use the Apache RewriteRule with the cas headers.
I've been trying unsuccessfully to locate the exact headers name.
I would really appreciate if you could help me with,
Thanks in advance, Tal
The standard "REMOTE_USER" will be set by mod_auth_cas after successful validation. On Nov 2, 2014 12:33 PM, "Tal" [email protected] wrote:
Hi,
I've been using the mod_auth_cas, and tried to execute a redirect by user. In order to do so, I'm trying to use the Apache RewriteRule with the cas headers.
I've been trying unsuccessfully to locate the exact headers name.
I would really appreciate if you could help me with,
Thanks in advance, Tal
— Reply to this email directly or view it on GitHub https://github.com/Jasig/mod_auth_cas/issues/81.
Hi,
I've tried this rule
RewriteRule ^/$ http://webtest.domain.com/%{REMOTE_USER}
and it ended up with a redirection loop.
What is the URL that is first accessed? Is it webtest.domain.com/, or a deeper path?
Is http always used, or is first access via https?
Can you post your CAS config?
Have you confirmed this works without the redirect, either by using "require user foo" within your httpd.conf block, or with a CGI that prints REMOTE_USER?
Note - you should probably take this to the cas-user mailing list for a wider audience to help troubleshoot. On Nov 2, 2014 12:41 PM, "Tal" [email protected] wrote:
Hi,
I've tried this rule RewriteRule ^/$ http://webtest.domain.com/%{REMOTE_USER}
and it ended up with a redirection loop.
— Reply to this email directly or view it on GitHub https://github.com/Jasig/mod_auth_cas/issues/81#issuecomment-61415712.
Hi @forsetti,
First of all, thanks for your quick responses.
- The first URL i'm accessing is logintest.domain.com, and then it's redirects me to my apache. The physical architecture is Apache and haproxy for all subdomains on one server, and CAS with tomcat on another.
- The URL - logintest.domain.com is accessed via https and all other URLs are access via http.
- cas config
#mod_cas_auth configuration
CASCookiePath /cas/cookies/
CASLoginURL https://logintest.domain.com:8443/cas/login
CASValidateURL https://logintest.domain.com:8443/cas/samlValidate
CASDebug On
CASValidateServer Off
CASAllowWildCardCert On
CASTimeout 86400
CasIdleTimeout 86400
CASSSOEnabled On
CASValidateSAML On
CASCacheCleanInterval 1800
CASAuthoritative On
CASCookieDomain .domain.com
- apache location directive
<Location />
AuthType CAS
require valid-user
CASAuthNHeader Cas-User
CASScrubRequestHeaders On
CASScope /
CASCookie domain
</Location>
Sorry for delay (I travel much for work lately). When accessing webtest.domain.com, is https ever used? Or just http?
Have you verified that this will work without the redirect, by just protecting a directory and making sure you can gain access?
I'd suggest [osting
On Tue, Nov 4, 2014 at 7:22 AM, Tal [email protected] wrote:
Hi @forsetti https://github.com/forsetti,
First of all, thanks for your quick responses.
The first URL i'm accessing is logintest.domain.com, and then it's redirects me to my apache. The physical architecture is Apache and haproxy for all subdomains on one server, and CAS with tomcat on another. 2.
The URL - logintest.domain.com is accessed via https and all other URLs are access via http. 3.
cas config
#mod_cas_auth configuration CASCookiePath /cas/cookies/ CASLoginURL https://logintest.domain.com:8443/cas/login CASValidateURL https://logintest.domain.com:8443/cas/samlValidate CASDebug On CASValidateServer Off CASAllowWildCardCert On CASTimeout 86400 CasIdleTimeout 86400 CASSSOEnabled On CASValidateSAML On CASCacheCleanInterval 1800 CASAuthoritative On CASCookieDomain .domain.com
apache location directive
AuthType CAS require valid-user
CASAuthNHeader Cas-User
CASScrubRequestHeaders On
CASScope /
CASCookie domain </Location>
— Reply to this email directly or view it on GitHub https://github.com/Jasig/mod_auth_cas/issues/81#issuecomment-61631807.
[email protected] PGP: E2144AD8
Sorry for delay (I travel much for work lately). When accessing webtest.domain.com, is https ever used? Or just http?
Have you verified that this will work without the redirect, by just protecting a directory and making sure you can gain access?
As this is likely not a mod_auth_cas bug, I'd suggest posting this to the cas-user mailing list for a broader community discussion.
On Fri, Nov 7, 2014 at 10:42 PM, Matt Smith [email protected] wrote:
Sorry for delay (I travel much for work lately). When accessing webtest.domain.com, is https ever used? Or just http?
Have you verified that this will work without the redirect, by just protecting a directory and making sure you can gain access?
I'd suggest [osting
On Tue, Nov 4, 2014 at 7:22 AM, Tal [email protected] wrote:
Hi @forsetti https://github.com/forsetti,
First of all, thanks for your quick responses.
The first URL i'm accessing is logintest.domain.com, and then it's redirects me to my apache. The physical architecture is Apache and haproxy for all subdomains on one server, and CAS with tomcat on another. 2.
The URL - logintest.domain.com is accessed via https and all other URLs are access via http. 3.
cas config
#mod_cas_auth configuration CASCookiePath /cas/cookies/ CASLoginURL https://logintest.domain.com:8443/cas/login CASValidateURL https://logintest.domain.com:8443/cas/samlValidate CASDebug On CASValidateServer Off CASAllowWildCardCert On CASTimeout 86400 CasIdleTimeout 86400 CASSSOEnabled On CASValidateSAML On CASCacheCleanInterval 1800 CASAuthoritative On CASCookieDomain .domain.com
apache location directive
AuthType CAS require valid-user
CASAuthNHeader Cas-User
CASScrubRequestHeaders On
CASScope /
CASCookie domain </Location>
— Reply to this email directly or view it on GitHub https://github.com/Jasig/mod_auth_cas/issues/81#issuecomment-61631807.
[email protected] PGP: E2144AD8
[email protected] PGP: E2144AD8
Hi @forsetti,
Yes https is being used when entering logintest.domain.com.
I'll post the question in the cas-user mailing.
Thanks, Tal