Cassava provides authentication services based on the Jasig CAS protocol.
How does CAS work?
The CAS protocol requires three entities to function: the user’s web browser, a web application requesting authentication, and a CAS server as implemented by this plugin.
When a user accesses an application and attempts to authenticate to it, the application sends the user to the CAS server for validation. The CAS server will look for an active session or else explicitly request the user to insert their credentials.
Upon authenticating the user, the CAS server returns the user to the application they came from along with a security ticket.
Behind the scenes, the application then contacts the CAS server over a secure connection to independently verify that the security ticket is valid. The CAS server responds with information about the user’s status, confirming they are who they claim to be.
Does the plugin require HTTPS to function?
Yes. Because applications trade security tickets via HTTP requests, it is very important that this information be encrypted so as not to be easily intercepted. By running a single sign-on service over an unencrypted channel such as plain HTTP, you would be at considerable risk of allowing unauthorized persons into your network.
What do I do if a malicious agent forges or alters my security tickets?
If you suspect someone may have compromised the integrity of the security tickets generated by the CAS server, you should immediately generate a new set of secret keys and swap them out in WordPress’s wp-config.php
file.
I’m getting a `Class ‘DOMDocument’ not found` error. What’s going on?
The plugin requires the PHP DOM extension to generate and read XML data, and the error is likely due to the extension not being installed on the server.
While the extension is enabled by default on most setups, some systems require manual activation. It may also have been disabled by a systems administrator. Depending on your operating system, you may be able to install it by running yum install php-dom
(RPM) or apt-get install php5-dom
(APT). If not, contact your hosting provider or systems administrator to enable it for you.
What is the default endpoint for the CAS server?
By default, the plugin provides methods under the wp-cas
endpoint. So, if you’re configuring a CAS client to authenticate using your server at https://www.my-site.com/
, then the full URI should be something like https://www.my-site.com/wp-cas/
.
The endpoint may be changed at any time by navigating to Settings > Permalinks in the dashboard. Bear in mind that if you change the endpoint you will also need to reconfigure all CAS clients currently using the service.
How can I make information besides the user’s login name available to external applications?
To return user data along with a validation response, navigate to Settings > Cassava CAS Server and check the attributes you want the server to return.
Only versions 2.0 and above of the protocol can disclose user attributes, these options will not change how the earlier CAS 1.0 validation method works. Also note that making user attributes visible does not guarantee the remote application will use them.
How can I change other settings?
At the moment, the only way to change the plugin’s behaviour is through the Hooks API. Please refer to the Other Notes page for a list of actions and filters supported by the plugin.
Where can I read about the CAS protocol specification?
You may peruse the CAS protocol specifications in complete detail at the official project site.
What types of tickets does this plugin support?
Cassava sets and receives Service Tickets (ST), Proxy-Granting Tickets (PGT), Proxy-Granting Ticket IOUs (PGTIOU) and Proxy Tickets (PT).