- Get help
- Announcements & alerts
- Service outages
- Security alerts
- Major initiatives
- Jovanna Sauro wins SFU Personal Achievement Award
- Improve your cellular coverage by enabling WiFi Calling
- New committee guides transformative changes at SFU
- Expanded identity options for students within SFU applications
- SFU works toward keeping devices out of landfills
- A journey to improved WiFi
- Help us, help you, connect to better WiFi
- IT Services' new support system: ServiceHub
- Information Security Essential Courses
- IT Services leadership announcement
- University Wide Password Change Initiative
- April 2021 technical issue
- Telephone System Core Infrastructure Upgrade
- Decommissioning fraser.sfu.ca
- Information security
- Information Security Standards
- New Information Security Essentials Course
- Anti-Spam (CASL) Compliance
- Data security standard
- Desktop Security
- Security and Privacy Guidance: Social Media Apps
- Identity Protection
- Phishing Scams
- How to stay safe online
- Security hygiene
- Tips for safe computing
- Travelling with technology
- Keeping Your Personal Information Safe During the Holidays
- Don't get caught by a phishing scam
CAS Apache module
Before SFU adopted CAS as its authentication method for the web, we already had an Apache authentication/authorization module that allowed limited access control based on maillist membership. With the arrival of CAS, we modified a version of mod_cas (later mod_auth_cas) that would allow Apache to use the SFU version of CAS version 2 (later CAS version 3) to grant access based on SFU maillists.
With the arrival of CAS 5, the changes made to CAS by SFU are no longer needed, and the latest unchanged version of mod_auth_cas can be used. This version supports Apache 2.4 (which the older SFU modified version of mod_auth_cas does not). Because the 2.2 version of Apache is no longer being maintained by The Apache Software Foundation, you may want to upgrade your Apache, but that will also require that you upgrade to the latest version of mod_auth_cas.
Can we continue to use the older version of mod_auth_cas?
The short answer is yes. However, that version of mod_auth_cas does not support Apache 2.4, so you are stuck with the older non-maintained version of Apache. There are a few other things to keep in mind if you want to continue using the old SFU version of mod_auth_cas.
For example, in order to do the authorization, the SFU modified mod_auth_cas uses an SFU added feature of CAS, and adds an "allow=" string to the login and serviceValidate CAS entry points. We have added support for this to CAS 5 to continue to support the old mod_auth_cas, but this may not be supported in future upgrades to CAS.
Another thing to keep in mind is that mod_auth_cas needs attributes from CAS to do the authorization work. The older versions of CAS didn't return attributes, so SFU modified CAS so that you could get the needed attributes from serviceValidate. In CAS 5, attributes are returned using p3/serviceValidate, but not with serviceValidate. We have added a setting in CAS 5 to allow some attributes to be returned by serviceValidate, and this setting will be set for those services that were using the old SFU mod_auth_cas before the upgrade to CAS 5. If you want to use the old SFU mod_auth_cas with a new service, you either need to let us know to set that setting for your service, or you need to specify "CASValidateURL https://cas.sfu.ca/cas/p3/serviceValidate" to get the attributes that are needed by mod_auth_cas.
What needs to be done to upgrade to the new mod_auth_cas?
There are a number of good reasons to upgrade to the new mod_auth_cas, including allowing you to upgrade to the new, fully supported, Apache 2.4. The first thing to do before upgrading is to read Using mod_auth_cas at SFU to get an idea how the new module works and where to get it.
Once you have the new mod_auth_cas downloaded, built and installed, you need to make sure that you have set CASValidateURL to p3/serviceValidate like this:
The next step is to check if you have specified
when using mod_auth_cas. This was allowed in the old SFU mod_auth_cas so that you could use Apache basic authentication in conjunction with CAS when controlling access to a non-web application such as WebDAV. This is not supported in the new mod_auth_cas, but we have made available a simple authentication module mod_authn_cas which will handle this use case. See this page for information on mod_authn_cas.
Using "Basic" was also allowed in certain circumstances as equivalent to "CAS". If that was how it was being used, simply use "Authtype CAS" instead.
Next, check to see if you use
to point to a file containing userid/password entries. The old mod_auth_cas would let you use these .htpasswd files to specify IDs or maillists to control access. The new mod_auth_cas doesn't support these .htpasswd files, so see the following table for replacing items in the .htpasswd file with Require lines.
|Line in .htpasswd file||What it did||Equivalent Require line in new mod_auth_cas|
||allow access to SFU userid
Require user userid
||allow access to members of mail-list
Require cas-attribute member:mail-list
||allow access to made up ID
||this is not supported in new mod_auth_cas
The final step is to replace the Require directives from the old mod_auth_cas with equivalent Require directives for the new mod_auth_cas. The following table should help.
|Old mod_auth_cas||New mod_auth_cas|
|Require user userid
Require sfu-user userid
Require user userid
|Require user !mail-list
Require cas-attribute member:mail-list
Require cas-attribute sfuEduPersonAffiliation:staff
Require cas-attribute sfuEduPersonAffiliation:faculty
Require cas-attribute sfuEduPersonAffiliation:undergrad
Require cas-attribute sfuEduPersonAffiliation:alumnus