Skip to main content
Version: 3.4

cas-auth

Description#

The cas-auth Plugin can be used to access CAS (Central Authentication Service 2.0) IdP (Identity Provider) to do authentication, from the SP (service provider) perspective.

Attributes#

NameTypeRequiredDescription
idp_uristringTrueURI of IdP.
cas_callback_uristringTrueredirect uri used to callback the SP from IdP after login or logout.
logout_uristringTruelogout uri to trigger logout.

Enabling the Plugin#

You can enable the Plugin on a specific Route as shown below:

curl http://127.0.0.1:9180/apisix/admin/routes/cas1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"methods": ["GET", "POST"],
"host" : "127.0.0.1",
"uri": "/anything/*",
"plugins": {
"cas-auth": {
"idp_uri": "http://127.0.0.1:8080/realms/test/protocol/cas",
"cas_callback_uri": "/anything/cas_callback",
"logout_uri": "/anything/logout"
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org": 1
}
}
}'

Configuration description#

Once you have enabled the Plugin, a new user visiting this Route would first be processed by the cas-auth Plugin. If no login session exists, the user would be redirected to the login page of idp_uri.

After successfully logging in from IdP, IdP will redirect this user to the cas_callback_uri with GET parameters CAS ticket specified. If the ticket gets verified, the login session would be created.

This process is only done once and subsequent requests are left uninterrupted. Once this is done, the user is redirected to the original URL they wanted to visit.

Later, the user could visit logout_uri to start logout process. The user would be redirected to idp_uri to do logout.

Note that, cas_callback_uri and logout_uri should be either full qualified address (e.g. http://127.0.0.1:9080/anything/logout), or path only (e.g. /anything/logout), but it is recommended to be path only to keep consistent.

These uris need to be captured by the route where the current APISIX is located. For example, if the uri of the current route is /api/v1/*, cas_callback_uri can be filled in as /api/v1/cas_callback.

Disable Plugin#

To disable the cas-auth Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.

curl http://127.0.0.1:9180/apisix/admin/routes/cas1  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"methods": ["GET", "POST"],
"uri": "/anything/*",
"plugins": {},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org:80": 1
}
}
}'