Add CAS Authentication for VuFind VUFIND-422

[misilot]

Supports CAS authentication with the ability to set configuration via config.ini

[misilot]

Supersedes #12

[misilot]

@bemosior this should resolve the issue you were having.

[bemosior]

I got this mostly implemented today. For the most part, everything appears to be working well.

Thoughts/questions:

• Is there a way to assign the VuFind username (or other attributes) as the CAS principal? A workaround is to also pass the username as a SAML attribute, but it would be easier to say username = principal or username = username.
• One of the available attributes should be the cat_password, since (at least in some cases) the catalog password is an attribute that can be passed by CAS.
  • There would also have to be logic to handle both cat_password and cat_pass_enc (the encrypted catalog password), as the case may be. I haven't checked the code, but VuFind might automatically handle that part.
• If a target URL is specified (such as /vufind/, the user fails to be logged in (login button remains) unless they physically access /vufind/MyResearch/Home. This may just be a VuFind quirk.
• In the config.ini, Required: CAS server URL makes more sense to be Required: CAS Hostname.

That's all I found. Thanks for putting this together!

[misilot]

Is there a way to assign the VuFind username (or other attributes) as the CAS principal?

What do you mean by this, that is what the cat_username is for no?

One of the available attributes should be the cat_password, since (at least in some cases) the catalog password is an attribute that can be passed by CAS.

I am working on adding the cat_password field to both the CAS and Shibboleth Auth (https://github.com/misilot/vufind/commit/86f4d41780c7b4eb8d9c333f7b59d3bdecf9491a and #15 ). The cat_pass_enc I am not sure we can add, at least how VuFind is currently written. @demiankatz, what do you think?

If a target URL is specified (such as /vufind/, the user fails to be logged in (login button remains) unless they physically access /vufind/MyResearch/Home. This may just be a VuFind quirk.

I think this is a VuFind quirk, as I think this is how it acted. Not sure if there is a way or where a good place would be in order to add in a \phpCAS::checkAuthentication(); at some point on every page load (that would require running the Auth() script everytime though as well, so phpCAS could be initialized.

In the config.ini, Required: CAS server URL makes more sense to be Required: CAS Hostname.
Made change see ef1871b

[bemosior]

What do you mean by this, that is what the cat_username is for no?

VuFind uses an internal username for the MySQL entry it adds. For user identification and debugging purposes it might be nice to populate that with the principal, while cat_username and cat_password remain ILS-specific.

Thanks!

[misilot]

This is what sets the VuFind username in the database. Not sure if I am still missing something.

[bemosior]

It might just be confusion on my part. CAS returns a principal in the SAML assertion that is literally what the user types into the username field. The question is which "attribute" can be used to to assign the principal to a VuFind user field.

In the below example, "bemosior" is the principal:

<saml1:AttributeStatement>
    <saml1:Subject>
        <saml1:NameIdentifier>bemosior</saml1:NameIdentifier>
        <saml1:SubjectConfirmation>
            <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod>
        </saml1:SubjectConfirmation>
    </saml1:Subject>
    <saml1:Attribute AttributeName="sn" AttributeNamespace="http://www.ja-sig.org/products/cas/">
        <saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Mosior</saml1:AttributeValue>
    </saml1:Attribute>
    <saml1:Attribute AttributeName="catalog_barcode" AttributeNamespace="http://www.ja-sig.org/products/cas/">
        <saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">123456789</saml1:AttributeValue>
    </saml1:Attribute>
</saml1:AttributeStatement>

It doesn't seem to have an attribute name in the same sense as "catalog_barcode".

[demiankatz]

Regarding running \phpCAS::checkAuthentication(); on every page load, you might be able to achieve that with ZF2's event system if it's actually necessary.... but I don't know enough about CAS to fully understand the situation; is there a way to force targets to route throught MyResearch/Home so that this is unnecessary?

[misilot]

@bemosior the saml1:NameIdentifier attribute can be gotten from the function phpCAS::getUser(), and it will return the username in whatever case the user entered it. For example. If I enter mIsILOt it will return mIsILOt, or if I enter misilot it will return misilot. I would think most people would want to pull the username from CAS as an authoritative attribute if they are going to be storing in a database as such. That is why I used the attribute uid as that contains their username that is in LDAP. Is it not possible to get an attribute from CAS for the principal?

[demiankatz]

I agree that it sounds like you wouldn't want to use the raw user input as the VuFind username, as that could cause weird inconsistent behavior. If anything, perhaps you would want to log that as a debug message or something.

[bemosior]

@misilot and @demiankatz, that's a good point. I forgot that I had encountered a similar issue like that before (we ended up dealing with it cheaply by using fn:toLowerCase because the situation allowed), so the username question is a non-issue.

As far as the PR, I think we're in good shape once the cat_password is routed through saveCredentials().

[misilot]

@bemosior When you have a chance can you test this? Thanks!

[bemosior]

I'm away on vacation and unable to test until the 26th; I apologize for the delay!

[misilot]

@bemosior No problem. Thanks :) Enjoy your vacation.

[demiankatz]

Too bad regarding phpCAS -- sounds like dev-master is the best option for now, but we should change it to a stable release as soon as that becomes possible.

I need to read up on all the features of the PR system; I know that I could be using it better than I am at the moment, but I haven't taken the time to study all the possibilities.

[misilot]

Made recommended changes for storing the cat_password as a temp value.

[bemosior]

I had an interesting problem with getting the catalog password to be populated. After some debugging, I found a typo:

--- a/module/VuFind/src/VuFind/Auth/CAS.php
+++ b/module/VuFind/src/VuFind/Auth/CAS.php
@@ -157,7 +160,7 @@ class CAS extends AbstractBase

         // Save credentials if applicable:
         if (!empty ($catPassword) && !empty($user->cat_username)) {
-           $user->saveCredentials($user->cat_username, $casPassword);
+           $user->saveCredentials($user->cat_username, $catPassword);

         }

That seems to fix the issue for both encrypted and unencrypted catalog password fields.

I'm also having problems with convincing VuFind to use those credentials to authenticate against the ILS, but that is probably a local config issue. I'll work on figuring it out in the meantime (I need to anyway).

[misilot]

Since there have been a couple of releases since I created this PR, I am going to replace this PR with a current one, so it can be included possible in one of the next releases.

I will close this PR once the new one is made. (That way I can find the code :) )

[demiankatz]

Sounds good -- I don't think there have been any major changes that should affect this code, so hopefully updating the PR won't be too much work. I've been waiting to hear more from Benjamin before merging this -- any news on those ILS authentication issues?

[bemosior]

I'm having some idiot issues with Voyager authentication and VF2. I'll post on the list early next week to hopefully work through it, but there's no reason the CAS authentication shouldn't work based on the testing I completed previously.

[demiankatz]

Thanks for the clarification. In that case, I'll review and merge the new PR as soon as it arrives.