What is the procedure to obtain CAS between my website and my discourse instance?

sso

(Mohit Gupta) #1

What is the procedure to obtain CAS between my website and my discourse instance?


(Sam Saffron) #2

My understanding is that you would implement sso, @eriko would have all the details, search for CAS


(Mohit Gupta) #3

can you please tell me how can i redirect user from my website to his profile in my discourse forum with just a click on a link on my website irrespective of if he has ever signed-up or not for my discourse forum.


(eriko) #4

You will need to run as another rails app discourse_cas_sso then configure discourse to use single sign on (SSO) with this app. Then set discourse to require a login to access the site (login required) setting. If they access the discourse site directly or via some landing page they will be bounced through discourse_cas_sso and logged in. The information passed back to discourse will either create an account for them or log them into their existing account.

While the usename of the person is used to log them into CAS it is the email address that is used in discourse to uniquely identify the user with SSO. This means that your CAS server will need to return the users email address which is generally not the default. Also you need to set discourse to not allow the user to change their email address.

Another thing to note is that the usecase for CAS is that it is the one and only source of authentication and this works well with how SSO works in discourse . This means that your admin account is discourse needs to be a valid account in your CAS authentication system as must all other accounts that access your discourse.

I hope this helps.


(Kane York) #5

Use a link to discourse.example.net/my/activity or to /my/preferences.


(Mohit Gupta) #6

@riking, I tried those link but they work only if you have already login into your discourse account if you have not already login into your account it shows the message “The page you requested doesn’t exist or is private”. I want to login into my discourse account directly with a link on my website irrespective of if the user is already login or not.


(eriko) #7

Turn on require login. People will be forced to login to access the site before they can see those pages.


(Mohit Gupta) #8

@eriko can you please elaborate the setup procedure for discourse_cas_sso. I read the documentation but its still not clear to me that how this process is working and how the parameters are being passed between my website and my discourse forum.
thank you an advance


(eriko) #9

Perquisites:

  • Functioning CAS server that returns username and email address
  • CAS server is using SSL (for testing you can disable this see here)
  • Read through the first post of this the Official Single-Sign-On for Discourse

Ok by “My website” do you mean your CAS server? If so how it works is:

  1. You hit the login button on your discourse site or the site is set to require login to access.
  2. Discourse packages a payload up containing the url of the discourse site to return to and and light encryption key.
  3. Your browsers is now redirected to the SSO url configured in discourse and the above package is sent allong.
  4. The discourse_cas_sso app receives the package and stores it and redirects you to the CAS server.
  5. When you return to the discourse_cas_sso app there is a package of data from the CAS that lets discourse_cas_sso know that you are logged and at minimum your email address and username.
  6. The email address and username along with other information is packaged up using the encryption key send by discourse and sent back to the discourse using the return url from the original package.
  7. Discourse uses this information to either log the person in by matching the email address or creates a new user with this information and logs them in.

With that out of the way can you tell me what you have done so far?


(Mohit Gupta) #10

@eriko
Thanks for your guidance. After reading this I went through the sso documentation again and found exactly what i was looking for.


(eriko) #11

Glad to hear that. I have also added my response to the documentation so that it may help others.

Good luck.


(eriko) #12

As I have said a few other times if you have access to something other than CAS for authentication you should use it. Also if you are using newer versions of JASIG CAS you may be able to use it to do SAML auth.