Single Sign-On using CAS with Drupal 8

One login to rule them all...

NOTE!! This is a work-in-progress, with current issues/goals at the bottom

Ever wanted to have a single source of authentication across all of your Drupal sites? Me too.

This will involve two Drupal (8) installs; a Server (the authentication server) and the Client (the site the user is actually trying to use.) I'll try to break it down the best I can, and exactly as I've done it.

Requirements

Server

  • Drupal 8.2.4
  • CAS Server 8.x-1.0-beta1 with patch
  • Pretty sure you're gonna need an SSL cert/https setup on the server, but not sure. It's at least extremely advised to!

Client

I'm not going to go into how to install all of that; I'm hoping you've got it figured out already.

Configuring the Server

This well define what sites will authenticate through your CAS Server. From the /admin/config/people/cas_server/services/add

  • Label: Whatever you want it to be; for me, it was ChrisFeragotti.com
  • Service URL Pattern: I used https://ChrisFeragotti.com/* for mine
  • Participate in single sign on? Yes
  • Released attributes: I kept it simple with just login selected

Configuring the Client

From /admin/config/people/cas

CAS Server

  • Protocol Version: 2.0 or higher
  • Hostname: the CAS Server; for me, dwedow.com
  • Port: 443 (if your server doesn't use https, you may be able to use 80, but I didn't test.)
  • Path: /cas
  • SSL Verification: Verify using your web server's default certificate authority (CA) chain.

General Settings

  • Login Link Enabled: unchecked

User Account Handling

  • Auto Register Users: Checked
  • Email address assignment: User the CAS username combined with a custom domain name you specify
  • Email Hostname: chrisferagotti.com
  • Automatically assign roles on user registration: unchecked
  • Restrict Password Management: Checked
  • Restrict Email Management: Checked

Gate Feature (Auto Login)

  • Check Frequency: Once per browser session
  • Pages: empty
  • Negate the condition: unchecked

Forced Login

  • Enable: Checked
  • Pages: /user/*
  • Negate the condition: unchecked

Logout Behavior

  • Drupal Logout Triggers CAS Logout: Checked
  • Logout destination: dwedow.com/user/logout
  • Enable single log out? unchecked

Proxy

  • Initialize this client as a proxy? unchecked
  • Allow this client to be proxied? unchecked
  • Allowed proxy chains: empty

Debugging

  • Log debug information? unchecked

Issues

  • Logging out is still buggy
    • I'd prefer a logout of any is a log out of all (that's just my own preference though.)
  • Logging in to more than one site is also not working - FIXED WITH PATCH
    • To reproduce:
      1. Go to site A
      2. "login"
      3. get sent to login through dwedow.com
      4. get bounced back as logged in to site A
      5. Go to site B
      6. "login"
      7. get error "The website encountered an unexpected error. Please try again later."
    • dwedow logs show the error as:
      • Drupal\Core\Database\DatabaseExceptionWrapper: SQLSTATE[HY000]: General error: 1366 Incorrect integer value: '' for column 'renew' at row 1: INSERT INTO {cas_server_ticket_store} (id, expiration, type, session, user, service, renew) VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2, :db_insert_placeholder_3, :db_insert_placeholder_4, :db_insert_placeholder_5, :db_insert_placeholder_6); Array ( [:db_insert_placeholder_0] => ST-jWhOLDlLds60XJ9WSpJvEY_5Hoe9yTV3riFPUQUl6es [:db_insert_placeholder_1] => 2017-01-10 11:15:02 [:db_insert_placeholder_2] => service [:db_insert_placeholder_3] => fRiEqNHgCr9PVpfmbSppli624RXsxZMpSTlwtmtptWw [:db_insert_placeholder_4] => cferagotti [:db_insert_placeholder_5] => http://debate.dwedow.com/casservice?returnto=http://debate.dwedow.com/user/login [:db_insert_placeholder_6] => ) in Drupal\cas_server\Ticket\TicketFactory->createServiceTicket() (line 94 of /www/domains/dwedow.com/html/modules/cas_server/src/Ticket/TicketFactory.php).