Single Sign-On using CAS with Drupal 8

NOTE!! This is a work-in-progress, with current issues/goals at the bottom

Ever wanted to have a single source of authentication across all of your Drupal sites? Me too.

This will involve two Drupal (8) installs; a Server (the authentication server) and the Client (the site the user is actually trying to use.) I'll try to break it down the best I can, and exactly as I've done it.

Requirements

Server

• Drupal 8.2.4
• CAS Server 8.x-1.0-beta1 with patch
• Pretty sure you're gonna need an SSL cert/https setup on the server, but not sure. It's at least extremely advised to!

Client

• Drupal 8.2.4
• CAS 8.x-1.0-beta2
• External Authentication 8.x-1.0-alpha4 (a requirement of CAS)

I'm not going to go into how to install all of that; I'm hoping you've got it figured out already.

Configuring the Server

This well define what sites will authenticate through your CAS Server. From the /admin/config/people/cas_server/services/add

• Label: Whatever you want it to be; for me, it was ChrisFeragotti.com
• Service URL Pattern: I used https://ChrisFeragotti.com/* for mine
• Participate in single sign on? Yes
• Released attributes: I kept it simple with just login selected

Configuring the Client

From /admin/config/people/cas

CAS Server

• Protocol Version: 2.0 or higher
• Hostname: the CAS Server; for me, dwedow.com
• Port: 443 (if your server doesn't use https, you may be able to use 80, but I didn't test.)
• Path: /cas
• SSL Verification: Verify using your web server's default certificate authority (CA) chain.

General Settings

• Login Link Enabled: unchecked

User Account Handling

• Auto Register Users: Checked
• Email address assignment: User the CAS username combined with a custom domain name you specify
• Email Hostname: chrisferagotti.com
• Automatically assign roles on user registration: unchecked
• Restrict Password Management: Checked
• Restrict Email Management: Checked

Gate Feature (Auto Login)

• Check Frequency: Once per browser session
• Pages: empty
• Negate the condition: unchecked

Forced Login

• Enable: Checked
• Pages: /user/*
• Negate the condition: unchecked

Logout Behavior

• Drupal Logout Triggers CAS Logout: Checked
• Logout destination: dwedow.com/user/logout
• Enable single log out? unchecked

Proxy

• Initialize this client as a proxy? unchecked
• Allow this client to be proxied? unchecked
• Allowed proxy chains: empty

Debugging

• Log debug information? unchecked

Issues

• Logging out is still buggy
  • I'd prefer a logout of any is a log out of all (that's just my own preference though.)
• Logging in to more than one site is also not working - FIXED WITH PATCH
  • To reproduce:
    1. Go to site A
    2. "login"
    3. get sent to login through dwedow.com
    4. get bounced back as logged in to site A
    5. Go to site B
    6. "login"
    7. get error "The website encountered an unexpected error. Please try again later."
  • dwedow logs show the error as:
    • Drupal\Core\Database\DatabaseExceptionWrapper: SQLSTATE[HY000]: General error: 1366 Incorrect integer value: '' for column 'renew' at row 1: INSERT INTO {cas_server_ticket_store} (id, expiration, type, session, user, service, renew) VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2, :db_insert_placeholder_3, :db_insert_placeholder_4, :db_insert_placeholder_5, :db_insert_placeholder_6); Array ( [:db_insert_placeholder_0] => ST-jWhOLDlLds60XJ9WSpJvEY_5Hoe9yTV3riFPUQUl6es [:db_insert_placeholder_1] => 2017-01-10 11:15:02 [:db_insert_placeholder_2] => service [:db_insert_placeholder_3] => fRiEqNHgCr9PVpfmbSppli624RXsxZMpSTlwtmtptWw [:db_insert_placeholder_4] => cferagotti [:db_insert_placeholder_5] => http://debate.dwedow.com/casservice?returnto=http://debate.dwedow.com/user/login [:db_insert_placeholder_6] => ) in Drupal\cas_server\Ticket\TicketFactory->createServiceTicket() (line 94 of /www/domains/dwedow.com/html/modules/cas_server/src/Ticket/TicketFactory.php).