Egroupware 1.8 and CAS SSO

imdea 2011-01-03 10:13:11 UTC #1

Hi all,

A few months back, i had problems with trying to configure egroupware
1.6 with Jasig CAS in order to get SSO. After a few days dealing with it
i was able to get it, but now i’m getting no success with egroupware
1.8.

I downloaded egroupware 1.8 for my environment (Debian Lenny) and
installed last version of phpCAS, php5-curl and curl package. When i
enter in the setup page of egroupware i put this configuration:

[…]
Authentication / Accounts

Select which type of authentication are you using [ CAS ]

Activate safe passwords [ No ]
Allow authentication via cookie [ Yes ]

[…]

if using cas (Central Authentication Service):

cas server host name: test.mydomain.com
cas server port: 443
cas server uri: /cas
Authentication mode: PHP-Proxy
SSL Validation: No

In egroupware 1.6 i was able to get it working using PHP Client, but as
far as i know, since 1.8 code i have to use PHP Proxy instead.
(According also to the VERY LITTLE information that appears regarding
this in the egroupware website 1:

I set debug option “on”, in the login.php of egroupware to see what is
going on and here is the output when i try to authenticate myself to
http://test.mydomain.com/egroupware

6641 .START phpCAS-1.1.2 ****************** [CAS.php:494]
6641 .=> phpCAS::proxy(‘2.0’, ‘ldap.mydomain.com’, 8443, ‘cas’)
[login.php:64]
6641 .| => CASClient::CASClient(‘2.0’, true, ‘ldap.mydomain.com’,
8443, ‘cas’, true) [CAS.php:446]
6641 .| | Starting a new session [client.php:599]
6641 .| <= ''
6641 .<= ''
6641 .=> phpCAS::setNoCasServerValidation() [login.php:87]
6641 .<= ''
6641 .=> phpCAS::forceAuthentication() [login.php:90]
6641 .| => CASClient::forceAuthentication() [CAS.php:969]
6641 .| | => CASClient::isAuthenticated() [client.php:868]
6641 .| | | => CASClient::wasPreviouslyAuthenticated()
[client.php:973]
6641 .| | | | neither user not PGT found [client.php:1091]
6641 .| | | <= false
6641 .| | | no ticket found [client.php:1024]
6641 .| | <= false
6641 .| | => CASClient::redirectToCas(false) [client.php:877]
6641 .| | | => CASClient::getServerLoginURL(false, false)
[client.php:1121]
6641 .| | | | => CASClient::getURL() [client.php:360]
6641 .| | | | | Final URI:
https://test.mydomain.com/egroupware/login.php?phpgw_forward=%
2Findex.php [client.php:2653]
6641 .| | | | <=
'https://test.mydomain.com/egroupware/login.php?phpgw_forward=%
2Findex.php’
6641 .| | | <=
'https://ldap.mydomain.com:8443/cas/login?service=https%3A%2F%
2Ftest.mydomain.com%2Fegroupware%2Flogin.php%3Fphpgw_forward%3D%
252Findex.php’
6641 .| | | Redirect to :
https://ldap.mydomain.com:8443/cas/login?service=https%3A%2F%
2Ftest.mydomain.com%2Fegroupware%2Flogin.php%3Fphpgw_forward%3D%
252Findex.php
6641 .| | | exit()
6641 .| | | -
6641 .| | -
6641 .| -
CA3F .START phpCAS-1.1.2 ****************** [CAS.php:494]
CA3F .=> phpCAS::proxy(‘2.0’, ‘ldap.mydomain.com’, 8443, ‘cas’)
[login.php:64]
CA3F .| => CASClient::CASClient(‘2.0’, true, ‘ldap.mydomain.com’,
8443, ‘cas’, true) [CAS.php:446]
CA3F .| | Starting a new session [client.php:599]
CA3F .| | ST or PT ‘ST-391-3f4j7TCPhqHyWY3UgrBK-cas’ found
[client.php:676]
CA3F .| <= ''
CA3F .<= '‘
CA3F .=> phpCAS::setNoCasServerValidation() [login.php:87]
CA3F .<= ‘‘
CA3F .=> phpCAS::forceAuthentication() [login.php:90]
CA3F .| => CASClient::forceAuthentication() [CAS.php:969]
CA3F .| | => CASClient::isAuthenticated() [client.php:868]
CA3F .| | | => CASClient::wasPreviouslyAuthenticated()
[client.php:973]
CA3F .| | | | neither user not PGT found [client.php:1091]
CA3F .| | | <= false
CA3F .| | | PT ST-391-3f4j7TCPhqHyWY3UgrBK-cas' is present [client.php:1002] CA3F .| | | => CASClient::validatePT('', NULL, NULL) [client.php:1003] CA3F .| | | | => CASClient::getURL() [client.php:480] CA3F .| | | | | Final URI: https://test.mydomain.com/egroupware/login.php?phpgw_forward=% 2Findex.php [client.php:2653] CA3F .| | | | <= 'https://test.mydomain.com/egroupware/login.php?phpgw_forward=% 2Findex.php' CA3F .| | | | => CASClient::readURL('https://ldap.mydomain.com:8443/cas/proxyValidate?service=https%3A%2F%2Ftest.mydomain.com%2Fegroupware%2Flogin.php%3Fphpgw_forward%3D%252Findex.php&ticket=ST-391-3f4j7TCPhqHyWY3UgrBK-cas&pgtUrl=https%3A%2F%2Ftest.mydomain.com%2Fegroupware%2Flogin.php', '', NULL, NULL, NULL) [client.php:2504] C218 .START phpCAS-1.1.2 ****************** [CAS.php:494] C218 .=> phpCAS::proxy('2.0', 'ldap.mydomain.com', 8443, 'cas') [login.php:64] C218 .| => CASClient::CASClient('2.0', true, 'ldap.mydomain.com', 8443, 'cas', true) [CAS.php:446] C218 .| | Starting a new session [client.php:599] C218 .| <= '' C218 .<= '' C218 .=> phpCAS::setNoCasServerValidation() [login.php:87] C218 .<= '' C218 .=> phpCAS::forceAuthentication() [login.php:90] C218 .| => CASClient::forceAuthentication() [CAS.php:969] C218 .| | => CASClient::isAuthenticated() [client.php:868] C218 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:973] C218 .| | | | neither user not PGT found [client.php:1091] C218 .| | | <= false C218 .| | | no ticket found [client.php:1024] C218 .| | <= false C218 .| | => CASClient::redirectToCas(false) [client.php:877] C218 .| | | => CASClient::getServerLoginURL(false, false) [client.php:1121] C218 .| | | | => CASClient::getURL() [client.php:360] C218 .| | | | | Final URI: https://test.mydomain.com/egroupware/login.php [client.php:2653] C218 .| | | | <= 'https://test.mydomain.com/egroupware/login.php' C218 .| | | <= 'https://ldap.mydomain.com:8443/cas/login?service=https%3A%2F% 2Ftest.mydomain.com%2Fegroupware%2Flogin.php' C218 .| | | Redirect to : https://ldap.mydomain.com:8443/cas/login?service=https%3A%2F% 2Ftest.mydomain.com%2Fegroupware%2Flogin.php C218 .| | | exit() C218 .| | | - C218 .| | - C218 .| - CA3F .| | | | <= true CA3F .| | | | => CASClient::renameSession('ST-391-3f4j7TCPhqHyWY3UgrBK-cas') [client.php:2567] CA3F .| | | | | Session ID: ST3913f4j7TCPhqHyWY3UgrBKcas [client.php:737] CA3F .| | | | | Restoring old session vars [client.php:740] CA3F .| | | | <= '' CA3F .| | | <= true CA3F .| | | PTST-391-3f4j7TCPhqHyWY3UgrBK-cas’ was validated
[client.php:1004]
CA3F .| | | start validatePGT()
CA3F .| | | not found [client.php:1998]
CA3F .| | | => CASClient::authError(‘Ticket validated but no
PGT Iou transmitted’,
‘https://ldap.mydomain.com:8443/cas/proxyValidate?service=https%3A%2F%
2Ftest.mydomain.com%2Fegroupware%2Flogin.php%3Fphpgw_forward%3D%
252Findex.php&ticket=ST-391-3f4j7TCPhqHyWY3UgrBK-cas&pgtUrl=https%3A%2F%
2Ftest.mydomain.com%2Fegroupware%2Flogin.php’, false, false,
’<cas:serviceResponse xmlns:cas=‘http://www.yale.edu/tp/cas’>
cas:authenticationSuccess cas:userjrosental</cas:user>
</cas:authenticationSuccess></cas:serviceResponse>’) [client.php:2004]
CA3F .| | | | => CASClient::getURL() [client.php:2713]
CA3F .| | | | <=
'https://test.mydomain.com/egroupware/login.php?phpgw_forward=%
2Findex.php’
CA3F .| | | | CAS URL:
https://ldap.mydomain.com:8443/cas/proxyValidate?service=https%3A%2F%
2Ftest.mydomain.com%2Fegroupware%2Flogin.php%3Fphpgw_forward%3D%
252Findex.php&ticket=ST-391-3f4j7TCPhqHyWY3UgrBK-cas&pgtUrl=https%3A%2F%
2Ftest.mydomain.com%2Fegroupware%2Flogin.php [client.php:2714]
CA3F .| | | | Authentication failure: Ticket validated but
no PGT Iou transmitted [client.php:2715]
CA3F .| | | | Reason: no CAS error [client.php:2728]
CA3F .| | | | CAS response: <cas:serviceResponse
xmlns:cas=‘http://www.yale.edu/tp/cas’>
cas:authenticationSuccess
cas:userjrosental</cas:user>

</cas:authenticationSuccess>

</cas:serviceResponse> [client.php:2734]
CA3F .| | | | exit()
CA3F .| | | | -
CA3F .| | | -
CA3F .| | -
CA3F .| -

Regards.