Cassava provides authentication services based on the Jasig CAS protocol.
|Author:||Luís Rodrigues (profile at wordpress.org)|
|WordPress version required:||3.9|
|WordPress version tested:||4.4.2|
|Added to WordPress repository:||30-04-2014|
Warning! This plugin has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
|Total downloads:||1 719|
Click to start download
How does CAS work?
The CAS protocol requires three entities to function: the user’s web browser, a web application requesting authentication, and a CAS server as implemented by this plugin.
When a user accesses an application and attempts to authenticate to it, the application sends the user to the CAS server for validation. The CAS server will look for an active session or else explicitly request the user to insert their credentials.
Upon authenticating the user, the CAS server returns the user to the application they came from along with a security ticket.
Behind the scenes, the application then contacts the CAS server over a secure connection to independently verify that the security ticket is valid. The CAS server responds with information about the user’s status, confirming they are who they claim to be.
Does the plugin require HTTPS to function?
Yes. Because applications trade security tickets via HTTP requests, it is very important that this information be encrypted so as not to be easily intercepted. By running a single sign-on service over an unencrypted channel such as plain HTTP, you would be at considerable risk of allowing unauthorized persons into your network.
What do I do if a malicious agent forges or alters my security tickets?
If you suspect someone may have compromised the integrity of the security tickets generated by the CAS server, you should immediately generate a new set of secret keys and swap them out in WordPress’s
I’m getting a `Class ‘DOMDocument’ not found` error. What’s going on?
The plugin requires the PHP DOM extension to generate and read XML data, and the error is likely due to the extension not being installed on the server.
While the extension is enabled by default on most setups, some systems require manual activation. It may also have been disabled by a systems administrator. Depending on your operating system, you may be able to install it by running
yum install php-dom (RPM) or
apt-get install php5-dom (APT). If not, contact your hosting provider or systems administrator to enable it for you.
What is the default endpoint for the CAS server?
By default, the plugin provides methods under the
wp-cas endpoint. So, if you’re configuring a CAS client to authenticate using your server at
https://www.my-site.com/, then the full URI should be something like
The endpoint may be changed at any time by navigating to Settings > Permalinks in the dashboard. Bear in mind that if you change the endpoint you will also need to reconfigure all CAS clients currently using the service.
How can I make information besides the user’s login name available to external applications?
To return user data along with a validation response, navigate to Settings > Cassava CAS Server and check the attributes you want the server to return.
Only versions 2.0 and above of the protocol can disclose user attributes, these options will not change how the earlier CAS 1.0 validation method works. Also note that making user attributes visible does not guarantee the remote application will use them.
How can I change other settings?
Where can I read about the CAS protocol specification?
You may peruse the CAS protocol specifications in complete detail at the official project site.
What types of tickets does this plugin support?
Cassava sets and receives Service Tickets (ST), Proxy-Granting Tickets (PGT), Proxy-Granting Ticket IOUs (PGTIOU) and Proxy Tickets (PT).
- Requirement checks and admin error on pre-PHP 5.3 setups.
- Fixed endpoint registration in mixed HTTP/HTTPS installs. The server will now respond to requests over unencrypted HTTP, but will throw an error and tell the user to switch to HTTPS.
- Fixed missing autoloader in the SVN repository.
- Added support for the CAS 3.0
- Fixed a bug that prevented setting a custom CAS endpoint permalink.
- Fixed the handling of service URLs containing pipe characters.
- Developers: The
cas_server_routesfilter no longer deals with callbacks, controller classes are handled instead. Controller classes must extend
- WordPress 4.1.1 compatibility.
- Cleaner, easier to maintain codebase.
- Improved tests and test coverage.
- WordPress 4.0 compatibility.
- Portuguese (pt_PT) localization.
- Fixed a bug that broke the permalinks page.
- Settings now allow a successful CAS 2.0 validation response to return user attributes.
- Miscellaneous under-the-hood improvements and bug fixes.
- Developers: New filter
- Developers: Renamed filter
- Developers: Removed filter
- SSL is a requirement. No endpoints are exposed over unencrypted HTTP.
- Initial release.