Problem with CAS based SSO for Moodle 2.7

Problem with CAS based SSO for Moodle 2.7

by Zbigniew Misiak -
Number of replies: 10

Hi,

I am trying to use single sign on functionality using CAS Server (Jasig Central Authentication Service 3.5.2.1), so that users that logged in to an site being on the same server as Moodle do not need to login again after going to moodle.


I have turned on the CAS (SSO) and added the details:

hostname: IP.of.my.server

base URL: cas-server-webapp-3.5.2.1/

port: 8443

CAS version: CAS 2.0

After saving I logout and click on Login.

Redirection on the CAS works fine but after I login into CAS I get back to Moodle where I get Exception (leading to http://docs.moodle.org/27/en/error/moodle/generalexceptionmessage) with no more information.

Any suggestions what can be wrong would be appreciated.


Zbigniew

Average of ratings: -
In reply to Zbigniew Misiak

Re: Problem with CAS based SSO for Moodle 2.7

by jason everling -

After deploying CAS your base URL should be all lowercase  cas/ , cas-server-webapp-3.5.2.1/ is where the source files are and is how you build the CAS war package for deployment.

You should also make sure that both your CAS Server and the server Moodle is on both have their times sync'd from the same NTP source.

JASON

Average of ratings: -
In reply to jason everling

Re: Problem with CAS based SSO for Moodle 2.7

by Zbigniew Misiak -

Hi Jason,

Thanks a lot for reply.

I have checked and the base URI is all lowercase. Both CAS and Moodle are located on the same Windows server, so I guess there should be no problems with time sync.

Do you think long deployment path cas-server-webapp-3.5.2.1/ instead of cas/ is problematic?

Best regards,

Zbigniew

Average of ratings: -
In reply to Zbigniew Misiak

Re: Problem with CAS based SSO for Moodle 2.7

by jason everling -

I looked in the CAS User Guide when you mentioned Windows and whoever wrote the documentation for the quick start, they had set it up like that, to use that base URI. Wierd! 

You should setup CAS using the overlay method,

https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven+WAR+Overlay+Method

Newer Documentation for 4+

http://jasig.github.io/cas/4.0.0/installation/Maven-Overlay-Installation.html

Turn on debugging in Moodle to developer so that you can see the real error within the logs. Do you have logging configured in Tomcat also?

Also, within the CAS authentication in Moodle, you have inputted all the necessary LDAP information correct?

JASON

Average of ratings: -
In reply to jason everling

Re: Problem with CAS based SSO for Moodle 2.7

by Zbigniew Misiak -

Hi Jason,

Thanks a lot for the additional info. I have forwarded it to our developer and will check the logs for more info about errors.

Just one thing to be sure: if we are using SSO based on user authentication in external application using CAS do we need to add some LDAP config too? 

From http://docs.moodle.org/27/en/CAS_server_%28SSO%29 I understood that we only need to configure the CAS SSO settings, not LDAP ones.

Best regards,

Zbigniew

Average of ratings: -
In reply to Zbigniew Misiak

Re: Problem with CAS based SSO for Moodle 2.7

by Zbigniew Misiak -

Hi Jason,

After turning on debugging and changing base URL to cas I get the following info:


Debug info:
Error code: generalexceptionmessage
Stack trace:
  • line 2764 of \auth\cas\CAS\CAS\Client.php: CAS_AuthenticationException thrown
  • line 1224 of \auth\cas\CAS\CAS\Client.php: call to CAS_Client->validateCAS20()
  • line 1131 of \auth\cas\CAS\CAS\Client.php: call to CAS_Client->isAuthenticated()
  • line 1078 of \auth\cas\CAS\CAS.php: call to CAS_Client->checkAuthentication()
  • line 117 of \auth\cas\auth.php: call to phpCAS::checkAuthentication()
  • line 89 of \login\index.php: call to auth_plugin_cas->loginpage_hook()
Output buffer:<html><head><title>CAS Authentication failed!</title></head><body><h1>CAS Authentication failed!</h1><p>You were not authenticated.</p><p>You may submit your request again by clicking <a href="http://MY_SERVER_IP/moodle/login/index.php">here</a>.</p><p>If the problem persists, you may contact <a href="mailto:admin@example.com">the administrator of this site</a>.</p><hr><address>phpCAS 1.3.2 using server <a href="https://MY_SERVER_IP:8443/cas/">https://MY_SERVER_IP:8443/cas/</a> (CAS 2.0)</a></address></body></html>
From Tomcat logs I see that CAS created ticket (ACTION: SERVICE_TICKET_CREATED), but I do not get (ACTION: SERVICE_TICKET_VALIDATED)

As for the CAS deployment - we have simply downloaded the WAR and it works for other applications. Does Maven-deployment have influence on Moodle interoperability?

Best regards,

Zbigniew
Average of ratings: -
In reply to Zbigniew Misiak

Re: Problem with CAS based SSO for Moodle 2.7

by jason everling -

Usually if moodle is not accepting the ticket or if CAS is not validating the ticket it is because of the Time on the server, this is the usual issue for us since we use multiple front ends for CAS. Are you storing your tickets in a database or the in-memory datastore? If database like MySQL then the MySQL Servers time also needs to be the same as Moodle.

I am also certain that LDAP is needed so that it can lookup the additional information such as email address, first name, last name and so on for users that are not currently in Moodle but have successfully authenticated.

Also the user that you are logging in with in Moodle, is the authentication set to CAS within Moodle on that users profile?

Using the Maven build it will be allot easier down the road to update and maintain your customized config files but from Moodle's view it does not make a difference.

Also double-check the service URL within the CAS Services Management and make sure the URL points to https://yourserver/moodle/login/index.php

JASON

Average of ratings: -
In reply to jason everling

Re: Problem with CAS based SSO for Moodle 2.7

by Zbigniew Misiak -

Hi Jason,

Thanks a lot for your assistance.

Problem solved - it turned out that portal application had SSL certificate issued for name, not IP and this caused the problems. With new certificate CAS-Moodle SSO works perfectly.

Best regards,

Zbigniew

Average of ratings: -
In reply to Zbigniew Misiak

Re: Problem with CAS based SSO for Moodle 2.7

by Atif Rasheed -

Hello Jason and Misiak,

I am trying to setup CAS for Moodle 2.8 with CAS Server 4.0.0. I am getting exactly same error and have no clue whats going wrong as I don't see anything from Apache and Tomcat logs. I don't even see it's a certificate issue as I am successfully redirected to CAS but when CAS generates a ticket and redirects to Moodle I get below error. 

Moodle is configured on lms28.teletaaleem.com and CAS configuration is as below,

Hostname: labs14.teletaaleem.com

BaseURI: cas-server-webapp-4.0.0/

Port:8443

CAS Sever is configured on labs14.teletaaleem.com:8443/cas-server-webapp-4.0.0/ and cas.properties looks like:

server.name=https://labs14.teletaaleem.com:8443

server.prefix=${server.name}/cas-server-webapp-4.0.0

host.name=labs14.teletaaleem.com

I used Java Keystore created using keytool to enable SSL in tomcat. 

Now After enabling DEBUG I only see below info.

Error


Debug info: 
Error code: generalexceptionmessage
Stack trace:
  • line 3124 of /auth/cas/CAS/CAS/Client.php: CAS_AuthenticationException thrown
  • line 1409 of /auth/cas/CAS/CAS/Client.php: call to CAS_Client->validateCAS20()
  • line 1296 of /auth/cas/CAS/CAS/Client.php: call to CAS_Client->isAuthenticated()
  • line 995 of /auth/cas/CAS/CAS.php: call to CAS_Client->checkAuthentication()
  • line 143 of /auth/cas/auth.php: call to phpCAS::checkAuthentication()
  • line 89 of /login/index.php: call to auth_plugin_cas->loginpage_hook()
Output buffer: <html><head><title>CAS Authentication failed!</title></head><body><h1>CAS Authentication failed!</h1><p>You were not authenticated.</p><p>You may submit your request again by clicking <a href="http://lms28.teletaaleem.com/login/index.php">here</a>.</p><p>If the problem persists, you may contact <a href="mailto:[no address given]">the administrator of this site</a>.</p><hr><address>phpCAS 1.3.3 using server <a href="https://labs14.teletaaleem.com:8443/cas-server-webapp-4.0.0/">https://labs14.teletaaleem.com:8443/cas-server-webapp-4.0.0/</a> (CAS 2.0)</a></address></body></html>

Below log from Tomcat shows the TGT-Ticket was created and issued to Moodle. 

2015-05-12 17:23:19,651 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-7-4K0GqsB6jC0EB2wlAOfy-labs14.teletaaleem.com] for service [http://lms28.teletaaleem.com/login/index.php] for user [tasawar]>

2015-05-12 17:23:19,652 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: tasawar

WHAT: ST-7-4K0GqsB6jC0EB2wlAOfy-labs14.teletaaleem.com for http://lms28.teletaaleem.com/login/index.php

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Tue May 12 17:23:19 PKT 2015

CLIENT IP ADDRESS: 110.22.61.69

SERVER IP ADDRESS: 172.31.21.125

=============================================================




Average of ratings: -
In reply to Atif Rasheed

Re: Problem with CAS based SSO for Moodle 2.7

by Atif Rasheed -

It's resolved now. It was actually a certificate issue, not sure about details but it was related to cert some how smile I was previously using java keytool and when I switched to APR/Native, it worked like a charm smile

Average of ratings: -
In reply to Atif Rasheed

Re: Problem with CAS based SSO for Moodle 2.7

by cheperobert Alas -

hello
What are the settings to be performed on the CAS server, I see the deployerConfigContext.xml file to configure and connect to the database of Moodle

Average of ratings: -