- Get help
- Services
- Announcements & alerts
- Service outages
- Security alerts
- Major initiatives
- Reintroducing IT ServiceHub: Your One-Stop IT Support Platform
- Supporting SFU's Digital Transformation with Exchange Online
- Important changes to SFU email practices
- Transforming the SFU experience through digital improvements - Key Initiatives in Progress
- Jovanna Sauro wins SFU Personal Achievement Award
- Improve your cellular coverage by enabling WiFi Calling
- New committee guides transformative changes at SFU
- Expanded identity options for students within SFU applications
- SFU works toward keeping devices out of landfills
- A journey to improved WiFi
- Help us, help you, connect to better WiFi
- IT Services' new support system: ServiceHub
- Information Security Essential Courses
- IT Services leadership announcement
- University Wide Password Change Initiative
- April 2021 technical issue
- Telephone System Core Infrastructure Upgrade
- Decommissioning fraser.sfu.ca
- About
- Information security
CAS Apache module
History
Before SFU adopted CAS as its authentication method for the web, we already had an Apache authentication/authorization module that allowed limited access control based on maillist membership. With the arrival of CAS, we modified a version of mod_cas (later mod_auth_cas) that would allow Apache to use the SFU version of CAS version 2 (later CAS version 3) to grant access based on SFU maillists.
With the arrival of CAS 5, the changes made to CAS by SFU are no longer needed, and the latest unchanged version of mod_auth_cas can be used. This version supports Apache 2.4 (which the older SFU modified version of mod_auth_cas does not). Because the 2.2 version of Apache is no longer being maintained by The Apache Software Foundation, you may want to upgrade your Apache, but that will also require that you upgrade to the latest version of mod_auth_cas.
Can we continue to use the older version of mod_auth_cas?
The short answer is yes. However, that version of mod_auth_cas does not support Apache 2.4, so you are stuck with the older non-maintained version of Apache. There are a few other things to keep in mind if you want to continue using the old SFU version of mod_auth_cas.
For example, in order to do the authorization, the SFU modified mod_auth_cas uses an SFU added feature of CAS, and adds an "allow=" string to the login and serviceValidate CAS entry points. We have added support for this to CAS 5 to continue to support the old mod_auth_cas, but this may not be supported in future upgrades to CAS.
Another thing to keep in mind is that mod_auth_cas needs attributes from CAS to do the authorization work. The older versions of CAS didn't return attributes, so SFU modified CAS so that you could get the needed attributes from serviceValidate. In CAS 5, attributes are returned using p3/serviceValidate, but not with serviceValidate. We have added a setting in CAS 5 to allow some attributes to be returned by serviceValidate, and this setting will be set for those services that were using the old SFU mod_auth_cas before the upgrade to CAS 5. If you want to use the old SFU mod_auth_cas with a new service, you either need to let us know to set that setting for your service, or you need to specify "CASValidateURL https://cas.sfu.ca/cas/p3/serviceValidate" to get the attributes that are needed by mod_auth_cas.
What needs to be done to upgrade to the new mod_auth_cas?
There are a number of good reasons to upgrade to the new mod_auth_cas, including allowing you to upgrade to the new, fully supported, Apache 2.4. The first thing to do before upgrading is to read Using mod_auth_cas at SFU to get an idea how the new module works and where to get it.
Once you have the new mod_auth_cas downloaded, built and installed, you need to make sure that you have set CASValidateURL to p3/serviceValidate like this:
CASValidateURL https://cas.sfu.ca/cas/p3/serviceValidate
The next step is to check if you have specified
Authtype Basic
when using mod_auth_cas. This was allowed in the old SFU mod_auth_cas so that you could use Apache basic authentication in conjunction with CAS when controlling access to a non-web application such as WebDAV. This is not supported in the new mod_auth_cas, but we have made available a simple authentication module mod_authn_cas which will handle this use case. See this page for information on mod_authn_cas.
Using "Basic" was also allowed in certain circumstances as equivalent to "CAS". If that was how it was being used, simply use "Authtype CAS" instead.
Next, check to see if you use
AuthUserFile /path/to/.htpasswd
to point to a file containing userid/password entries. The old mod_auth_cas would let you use these .htpasswd files to specify IDs or maillists to control access. The new mod_auth_cas doesn't support these .htpasswd files, so see the following table for replacing items in the .htpasswd file with Require lines.
| Line in .htpasswd file | What it did | Equivalent Require line in new mod_auth_cas |
|---|---|---|
| +userid |
allow access to SFU userid |
Require user userid |
| +!mail-list |
allow access to members of mail-list |
Require cas-attribute member:mail-list |
| userid password |
allow access to made up ID |
this is not supported in new mod_auth_cas |
The final step is to replace the Require directives from the old mod_auth_cas with equivalent Require directives for the new mod_auth_cas. The following table should help.
| Old mod_auth_cas | New mod_auth_cas |
|---|---|
| Require valid-user or Require valid-sfu-user |
Require valid-user |
| Require user userid or Require sfu-user userid |
Require user userid |
| Require user !mail-list |
Require cas-attribute member:mail-list |
| Require valid-sfu-staff |
Require cas-attribute sfuEduPersonAffiliation:staff |
| Require valid-sfu-faculty |
Require cas-attribute sfuEduPersonAffiliation:faculty |
| Require valid-sfu-student |
Require cas-attribute sfuEduPersonAffiliation:undergrad |
| Required valid-alumni-user |
Require cas-attribute sfuEduPersonAffiliation:alumnus |