CAS integration

[marcat]

I am considering the possibility of CASifying FormTools. Anyone done this?
We use CAS authentication services for a number of different applications here and it would only stand to reason that FormTools use the same.
http://www.ja-sig.org/wiki/display/CAS/C...plications

Thoughts, comments, advice are welcomed...

[marcat]

Hopefully this post is in the right place? Perhaps it's better suited to be in Feature Requests or maybe Modules? Just like to know if anyone has traveled down the path of CAS for FormTools authentication and if so wouldn't mind sharing.
Perhaps this could be a new module for FormTools? Never done module development, but it sounds like it might be worthwhile? Comments? Suggestions?

[Ben]

Hi Marcat,

Very cool! Single-sign on is always useful - drives me barmy having to log into Wordpress, the bug tracker, the admin section, Form Tools all separately.

I haven't tried it myself, no. But when I wrote the API I deliberately added custom functions for logging in via PHP so you could use them to sign in to multiple applications simultaneously. Similarly, there are functions for creating and updating existing accounts.

I'd be very interested in learning more about how to CASify Form Tools, but I don't really have time to investigate it independently. But if you do get anywhere, I'd love to hear about it!

- Ben

[marcat]

Thanks for the reply Ben!

I actually have a proof of concept working. It was pretty simple to add the necessary code. Only had to touch 3 files, /index.php, /global/session_start.php and /global/code/accounts.php.

My approach was to force authentication through CAS and have the CAS server pass back the username. This username would then have to match the FormTools account username. Since the user has already authenticated, FormTools doesn't really need to know their password, so for ease of use, every FormTools Account will have the same password...

Though I've not yet integrated the messaging/language functionality, I will plan on getting around to that when I have time. I really like the way that works! SLICK! The included language file is impressive...

[Ben]

Wow, nice work.

So just so I understand how it works, there's no way for users to reach the FT pages without having already authenticated through CAS? Very cool.

- Ben

[marcat]

That's correct, the existing FT login form is never seen by the user. Our CAS server takes care of each authentication through a central LDAP server. Using this approach all we need to enable a new client is their login ID, we don't need to know or even care what their password is.
All notification of whether credentials are correct are take care of by CAS.
Other than bypassing the login/logout page and notifications displayed on it, users FT experience is the same.

-marcat

[ttuhsc-library-user]

Marcat, I am very interested in doing this. Could you pass along the modified files and more detailed instructions?