SoFunction
Updated on 2024-11-13

Example of how to integrate CAS single sign-on with Django

CAS is called Centralized Authentication Service (Central Authentication Service), which is a means to achieve Single Sign-On (SSO).

The communication flowchart of CAS is shown below (image from Google Gallery):

For the user-perceivable level of this paper, the authentication process is as follows:

  1. Front-end access to back-end login interface
  2. The backend returns a login page redirected to the CAS server with a link to the web page visited by the current user
  3. User logs in, browser sends request to CAS server for authentication
  4. CAS authentication passes, saves this login to the session, returns the callback address to the backend
  5. The backend returns the redirection request to the frontend
  6. Front-end redirection to the page before the jump to login

The TGT processing logic involved has been implemented by the open source CAS Client (python-cas).

Be aware that the CAS server itself has some filtering conditions, such as domain whitelisting, etc., so you need to add the domain name or IP of the new system to the CAS server configuration when accessing it.

For security reasons, CAS generally does not support cross-domain, so the front-end and back-end separation of development may be more troublesome. (There seems to be a solution, but I haven't tried it)

Access CAS

Because it is the first time to contact CAS, in order to facilitate debugging, I directly start a CAS server locally for debugging.

The CAS client is also the one that is integrated into the actual Django code that we develop.

CAS server

There are a lot of CAS projects in GitHub, I chose one based on Django.django-mama-cas Applications.

configure

establishdjango-cas-server Project:

django-admin startproject django-cas-server

mountingdjango-mama-cas Dependency:

pip install django-mama-cas

existINSTALLED_APPS Add'mama_cas' Applications:

INSTALLED_APPS = [
  ...
  'mama_cas',
]

increasemama_cas routing in the application:

urlpatterns += [url(r'', include('mama_cas.urls'))]

Configure CAS information:

MAMA_CAS_SERVICES = [
  {
    # Mandatory, this item is **Client** IP:Port, equivalent to whitelisting
    'SERVICE': 'http://127.0.0.1:8000',
    # Callback patterns, see official documentation
    'CALLBACKS': [
      'mama_cas.callbacks.user_model_attributes',
    ],
  },
]

utilization

# Use any port you want, I'm using 30000 here.
python  runserver 0.0.0.0:30000

After the service has started, you can access thehttp://0.0.0.0:30000/login Reach the CAS login page.

The question arises, what is the username and password?

It took me a while to fix this ----django-mama-cas The default is to use the module (in software)User Usedjango-admin Create a super user that can also be used to log in to CAS:

python  createsuperuser

Enter the user password to complete the creation of the super user, and then use this user to log in.

CAS Client

Python has an open source CAS clientpython-cas Since I'm using Django to develop the backend, I'm going to go straight to the wrappedpython-cas Django applicationsdjango-cas-ng

configure

Again, you need to install the dependencies first:

pip install django-cas-ng

exist hit the nail on the headINSTALLED_APPS cap (a poem)AUTHENTICATION_BACKENDS Two additionsdjango-cas-ng The configuration of the

INSTALLED_APPS = (
  # ... other installed apps
  'django_cas_ng',
)

AUTHENTICATION_BACKENDS = (
  '',
  'django_cas_ng.',
)

Also refer to the address and version of the CAS you are preparing to access and add a couple of corresponding configurations:

# Address of CAS
CAS_SERVER_URL = 'http://127.0.0.1:30000'
# CAS version
CAS_VERSION = '3'
# Holds all User data returned by the CAS server.
CAS_APPLY_ATTRIBUTES_TO_USER = True

Add the login and logout routes (these two parts of the logic are already provided by thedjango-cas-ng Done, you can use it directly. (If you need to extend it, you can just refer to the source code and implement it yourself):

import django_cas_ng.views as cas_views
urlpatterns = [
  ...
  path('login/', django_cas_ng..as_view(), name='cas_ng_login'),
  path('logout/', django_cas_ng..as_view(), name='cas_ng_logout'),
]

adjust components during testing

Start the current service:

python  runserver

interviewshttp://127.0.0.1:8000/login The page will go tohttp://127.0.0.1:30000/login?service=http://127.0.0.1:8000 CAS login page (note the different ports), will jump back after successful login.

summarize

CAS itself needs to understand the logic, but after all, it is a mature single sign-on architecture, there are generally open source client implementation, the amount of code is not much, more debugging and more reference to the document configuration can be.

consultation

/jbittel/django-mama-cas
/en/latest/
/mingchen/django-cas-ng

This is the whole content of this article.