CAS SSO and retrieving user profile attributes

CAS SSO and retrieving user profile attributes

by Richard Trout -
Number of replies: 5

When using CAS (SSO) Authentication (and _no_ LDAP), by default the username is retrieved.

So when a user authenticates using CAS for the first time, Moodle creates a new user with this username, and prompts them to complete their Moodle profile.

The Moodle documentation is not specific, but I interpreted that additional user attributes such as email address, first/last names, etc., could be sent in the authentication process, so that the user profile is retrieved by CAS, and the user would not need to complete the information manually.

So can Moodle retrieve the user profile attributes using CAS, or is manual entry or LDAP required?

Using: Moodle 3.1 with CAS Server (SSO) authentication.

Thanks, Richard.

Average of ratings: -
In reply to Richard Trout

Re: CAS SSO and retrieving user profile attributes

by Philippe Siwinski -

Hi Richard,

I have the exact same question, did you get more knowledge about this situation ?

I have seen an old page that mentions plans for a custom CAS plugin (without ldap) that retrieve CAS attributes :

Future: Custom CAS Plugin with Attribute Support

Can anyone provide some direction ?

Thanks, Philippe

Average of ratings: -
In reply to Philippe Siwinski

Re: CAS SSO and retrieving user profile attributes

by Richard Trout -

Hi Philippe

Sadly I couldn't find anything or anyone to help me, so I dug in further by myself.

It seems to me that the CAS (SSO) plugin was in more common use earlier in Moodle's lifetime, and why it was in core. CAS has evolved, but the Moodle plugin hasn't.

From what I could tell, the plugin really expects to be used in conjunction with LDAP, as it is the only method it supports to retrieve the user attributes for the Moodle profile. I found CAS works well for authentication. But without parsing user attributes (or retrieving via LDAP) the user is prompted to re-enter the information themselves. It doesn't appear like this is a use-case that Moodle has a good workflow for without modification.

So if you can use CAS _and_ LDAP it would be good, without LDAP you really have to do your own research.

I think SAML

I saw that plugin too, but you'd need to find who was involved with it. In open source projects, some things are often abandoned and that was the assumption I made.

I found CAS works well for authentication.

Regards, Richard.

Average of ratings: -
In reply to Richard Trout

Re: CAS SSO and retrieving user profile attributes

by Dave Perry -
Picture of Testers

Touching on the SAML point, if you have Shibboleth IdPs in your infrastructure then you can use that. I know you can tie Shibboleth IdPs to CAS, but have no experience of this or which way(s) round that goes.

We use Shibboleth for eResources and Google Apps (whatever it's called now) SSO, and I have proved it works on a test site (passing through all the attributes I configured our IdP to release). Admittedly that uses LDAP as its attributes/credentials source.
But until we have our Shibboleth picking up AD logins from the desktop, we're sticking with AD authentication for moodle as that's SSO from the desktop (unless you're on a Mac - we aren't using the Kerberos Apache plugin and the Macs don't talk NTLM).

Average of ratings: -
In reply to Richard Trout

Re: CAS SSO and retrieving user profile attributes

by MrCasa BLR -

Hello Richard,

On the same boat with CAS 5.0.x JDBC authentication and Moodle 3.1  On successful CAS authentication, I get redirected back to a blank user profile page on Moodle.

I'm hoping someone with more knowledge of CAS LDAP->JDBC attribute mapping & Moodle will throw some light on this.

My table has last_name, first_name, email_primary, phone_number column names. Not sure how and to what LDAP attributes to map them to that is expected by moodle.

Cheers!

Average of ratings: -
In reply to MrCasa BLR

Re: CAS SSO and retrieving user profile attributes

by Richard Trout -

Sorry, I'm not a guru on authentication and don't think I can really help you.

All I think I have identified is that Moodle's CAS plugin is expected to work in conjunction with LDAP. Using the CAS plugin, CAS is used for single sign-on and then retrieves the matching identity with LDAP. If you don't have LDAP (or don't configure it in the plugin), then you end up with the redirection you and I both experienced. While newer CAS can handle this situation I don't think the Moodle CAS plugin has been kept up-to-date with CAS's capabilities.

You may be able to find an LDAP solution that marries with your JDBC, or you may need to find an alternative that doesn't use CAS.

Average of ratings: -