Trying to use third-party CAS SSO code

unsupported-install

#1

Hi, i’ve tried to implement discourse but after i click on the discourse website to login it redirects me at my CAS page where i do login,but afterwards it doesnt redirect me back to discourse… ?

There are no errors it’s just that it does not return back to the discourse website.

BTW im quite newbie here.

Thanks in advance.


#2

If I understand correctly, you are trying to make the SSO work but your website where the login takes place does not redirect your users to your Discourse instance.

Your app is the one that needs to do the redirection.

See GitHub - cviebrock/discourse-php: A PHP class for helping with Discourse's SSO login

// build query string and redirect back to the Discourse site
$query = $sso->getSignInString($nonce, $userId, $userEmail, $extraParameters);
header('Location: http://discourse.example.com/session/sso_login?' . $query);
exit(0);

#4

My CAS is using “service” but discourse it needs payload& sig,can’t i modify discourse to use “service” for the login process ? my guess is that cas doesnt know what to do

Is it even possible …? to user Discourse with “service” param from cas ?


#5

Anyone else ? I’m not using DiscoursePHP, i used the default plugin discourse_cas_sso to install it :frowning: for discourse installation but after login i cant manage to redirect back to discourse page :frowning:

Thanks in advance. Up.


(Bhanu Sharma) #6

The redirect back to discourse is something to be handled by your CAS if I’m not wrong.


#7

Well the CAS works for other instances but when i’m trying to logg from discourse it does not redirect me back… :-? i went trough most topics but nothing that resembles my problem. Probably they dont use the same protocols ?? and cas does not know what to do with the data that the discourse is sending… my guess :-? any help about how i could solve this ? Thanks for any advices.


(Stephen) #8

If you’re using a third-party plugin for your CAS (discourse_cas_sso) have you tried asking the author?

Is it this one? GitHub - eriko/discourse_cas_sso: An app that proxy connects CAS authentication to discourse via the discourse sso api


#9

yes that’s the one. Nope didnt ask the author… i saw in a comment something relevant but there where few details and it was an old topic about cas and discourse … around 2014-2015 ~


(Stephen) #10

As it’s third-party code we don’t support it here - you’re going to need to reach out to the author, we can’t help you fix their stuff.


#11

i was only hoping for advice how to make the link between cas and discourse work , maybe someone else had the same problem and didnt found the answer either :smiley:


(Stephen) #12

Sure, but we support Discourse here, not code that third parties have written to work with it. It’s a complete unknown quantity.


#13

well… you’re right but i only followed the tutorials hoping they work , but thanks anyway, i’ll try to ask the author.


(eriko) #14

You should have @ ed me. I do still support this though as I have said elsewhere if you have the option of any other auth method I would try that.

That said you said that discourse_cas_sso does not redirect you back to your discourse instance. So were does it direct you to or were does it stop.

The pattern should be something like

discourse -> discourse_cas_sso -> cas server -> discourse_cas_sso -> discourse

Where does it stop?

Also you might look at the other topics that I have posted in supporting this.


#15

Hi @eriko ,thanks for replying , it stops here discourse -> discourse_cas_sso -> cas server and it does not redirect me anywhere.
I kind of looked up your previous posts, but i didnt quite got what i was looking for… after the cas log-in it stops like it doesnt know what to do next,but on the link after the log-in succes it has a payload and sig … uhm…
I’m quite newbie at this :disappointed_relieved: , i even reinstalled it few times and made a test vm so i could modify it freely.


(eriko) #16

Which cas server are you using. Jasig, ruby-cas-server, Casino? That said if your cas server is not sending you back to discourse_cas_sso then I would suggest starting there. You might also all at the return url that is encoded into the url that sends you to the cas server. It should point back to the discourse_cas_sso


#17

jasig(apereo,right?), after few attempts on discourse app now it returns something in verbose logg

Verbose info

Verbose SSO log: Started SSO process

add_groups:
admin:
moderator:
avatar_force_update:
avatar_url:
bio:
card_background_url:
email:
external_id:
groups:
locale:
locale_force_update:
name:
nonce: d520a9e72cac6b3d30198e5742b34bdc
profile_background_url:
remove_groups:
require_activation:
return_sso_url: http://-------/session/sso_login
suppress_welcome_message:
title:
username:
website:

Verbose backtrace

/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/logster-1.2.11/lib/logster/logger.rb:94:in add_with_opts' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/logster-1.2.11/lib/logster/logger.rb:51:inadd’
/usr/local/lib/ruby/2.5.0/logger.rb:536:in warn' /var/www/discourse/app/controllers/session_controller.rb:37:insso’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_controller/metal/basic_implicit_render.rb:6:in send_action' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/abstract_controller/base.rb:194:inprocess_action’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_controller/metal/rendering.rb:30:in process_action' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/abstract_controller/callbacks.rb:42:inblock in process_action’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/activesupport-5.2.0/lib/active_support/callbacks.rb:132:in run_callbacks' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/abstract_controller/callbacks.rb:41:inprocess_action’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_controller/metal/rescue.rb:22:in process_action' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_controller/metal/instrumentation.rb:34:inblock in process_action’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/activesupport-5.2.0/lib/active_support/notifications.rb:168:in block in instrument' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/activesupport-5.2.0/lib/active_support/notifications/instrumenter.rb:23:ininstrument’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/activesupport-5.2.0/lib/active_support/notifications.rb:168:in instrument' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_controller/metal/instrumentation.rb:32:inprocess_action’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_controller/metal/params_wrapper.rb:256:in process_action' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/activerecord-5.2.0/lib/active_record/railties/controller_runtime.rb:24:inprocess_action’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/abstract_controller/base.rb:134:in process' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionview-5.2.0/lib/action_view/rendering.rb:32:inprocess’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-mini-profiler-1.0.0/lib/mini_profiler/profiling_methods.rb:78:in block in profile_method' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_controller/metal.rb:191:indispatch’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_controller/metal.rb:252:in dispatch' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/routing/route_set.rb:52:indispatch’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/routing/route_set.rb:34:in serve' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/journey/router.rb:52:inblock in serve’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/journey/router.rb:35:in each' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/journey/router.rb:35:inserve’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/routing/route_set.rb:840:in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-protection-2.0.3/lib/rack/protection/frame_options.rb:31:incall’
/var/www/discourse/lib/middleware/omniauth_bypass_middleware.rb:24:in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-2.0.5/lib/rack/tempfile_reaper.rb:15:incall’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-2.0.5/lib/rack/conditional_get.rb:25:in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-2.0.5/lib/rack/head.rb:12:incall’
/var/www/discourse/lib/content_security_policy.rb:18:in call' /var/www/discourse/lib/middleware/anonymous_cache.rb:214:incall’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-2.0.5/lib/rack/session/abstract/id.rb:232:in context' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-2.0.5/lib/rack/session/abstract/id.rb:226:incall’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/middleware/cookies.rb:670:in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/middleware/callbacks.rb:28:inblock in call’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/activesupport-5.2.0/lib/active_support/callbacks.rb:98:in run_callbacks' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/middleware/callbacks.rb:26:incall’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/middleware/debug_exceptions.rb:61:in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/middleware/show_exceptions.rb:33:incall’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/logster-1.2.11/lib/logster/middleware/reporter.rb:31:in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/railties-5.2.0/lib/rails/rack/logger.rb:38:incall_app’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/railties-5.2.0/lib/rails/rack/logger.rb:28:in call' /var/www/discourse/config/initializers/100-quiet_logger.rb:16:incall’
/var/www/discourse/config/initializers/100-silence_logger.rb:29:in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/middleware/remote_ip.rb:81:incall’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/middleware/request_id.rb:27:in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-2.0.5/lib/rack/method_override.rb:22:incall’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.0/lib/action_dispatch/middleware/executor.rb:14:in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-2.0.5/lib/rack/sendfile.rb:111:incall’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-mini-profiler-1.0.0/lib/mini_profiler/profiler.rb:174:in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/message_bus-2.1.6/lib/message_bus/rack/middleware.rb:63:incall’
/var/www/discourse/lib/middleware/request_tracker.rb:180:in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/railties-5.2.0/lib/rails/engine.rb:524:incall’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/railties-5.2.0/lib/rails/railtie.rb:190:in public_send' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/railties-5.2.0/lib/rails/railtie.rb:190:inmethod_missing’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-2.0.5/lib/rack/urlmap.rb:68:in block in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-2.0.5/lib/rack/urlmap.rb:53:ineach’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/rack-2.0.5/lib/rack/urlmap.rb:53:in call' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/unicorn-5.4.0/lib/unicorn/http_server.rb:606:inprocess_client’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/unicorn-5.4.0/lib/unicorn/http_server.rb:701:in worker_loop' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/unicorn-5.4.0/lib/unicorn/http_server.rb:549:inspawn_missing_workers’
/var/www/discourse/vendor/bundle/ruby/2.5.0/gems/unicorn-5.4.0/lib/unicorn/http_server.rb:142:in start' /var/www/discourse/vendor/bundle/ruby/2.5.0/gems/unicorn-5.4.0/bin/unicorn:126:in<top (required)>’
/var/www/discourse/vendor/bundle/ruby/2.5.0/bin/unicorn:23:in load' /var/www/discourse/vendor/bundle/ruby/2.5.0/bin/unicorn:23:in

Verbose env
hostname discoursetest-app
process_id 435
application_version f84255e71bf374e827cd5a16a7beb71433606bfa
HTTP_HOST -----------------
REQUEST_URI /session/sso?return_path=%2F
REQUEST_METHOD GET
HTTP_USER_AGENT Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0
HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
HTTP_REFERER ------------------------------
HTTP_X_FORWARDED_FOR --------, --------
HTTP_X_REAL_IP -------
params
return_path /

as far as i can see there is no return path :-?

am i doing something wrong …? or missed something…?

EDIT: When the redirect to cas occurs the encoded payload that is send with the url does not change after succesful authentication, shouldn’t it change?

EDIT2: Probably it doesn’t reach discourse_cas_server , even tough the auth is a succes …if the payload does not change,right :-?
Should i write some additional information or… ? i keep looking into the files but i cant seem to reach a conclusion beside the discourse logs from above i dont have any warnings or errors so far… maybe i missed something or it needs additional settings …? Thanks for your reply’s btw. @eriko


(eriko) #18

The url when in cas should have a ‘service=htt…’ tagged on to the end that points back to the the discourse_cas_sso server.

Question: Is you cas server setup to return an email address in addition to a name
If so are the following settings correct in the config file

configatron.cas.email_attribute = ‘UserPrincipalName’ # CAS attribute containing user’s e-mail. Example: ‘UserPrincipalName’
configatron.cas.name_attribute = ‘Name’ # CAS attribute containing user’s username. Example: ‘Name’

You might also check that the secrets match while you are in the file.

That said if you have the option of using anything else like SAML which newer cas servers can provide I would suggest using that.


#19

Any hints about how should i implement the “service=htt…” ?? , i’m not finding anything relevant about that , i thought it does that on its own but tried and did modify a lot of things to make it work and nothing happend., For the configatron cas.email and name i tried the default and “email” / “username”, none seems to work… , im required to use cas , nothing else :frowning: .
As for the cas , i made a cas test setup myself and a discourse instance to test the connection,i put the necessary settings for return of email, but still failed, whats worse it that it doesnt return any warnings/errors that could help me ^^ :frowning: , i have been reading almost everything about this topic . Anything that i should attach here for a more detailed help ? Maybe i messed something or missconfigured something and i dont see it,because everytime i do the same things when i try to modify or change something ^^. Thanks for reply @eriko

Edit: the “service=//” should be sent from cas or discourse? tried from cas but it does not seem to work :-? maybe i’m not doing it right ^.


(eriko) #20

discourse_cas_sso should just send along the return url to cas server so that the cas server can both make sure you are authorized to to authenticate and to send you back to discourse_cas_sso.

https://cas.fake.com/cas/login?service=https%3A%2F%2Fdiscourse-staff-cas-sso.fake.com%2Fauth%2Fcas%2Fcallback%3Furl

As to why that is not happening I am at a loss. It is actaully omniauth-cas doing that work I an have never had and issue with that part.

(edit grammar)