[squid-users] Squid CAS integration

Dario Basset dario.basset at unimi.it
Fri Sep 6 09:36:46 UTC 2019


-> With CAS I mean the Central Authentication Service, which is supported
here: https://github.com/apereo/cas or here:
https://www.apereo.org/projects/cas It is a system for Single Sign On
authentication with Service Ticket, and it is quite used in Universities. We
want to integrate Squid with CAS auth.
The authentication provided by CAS is based on a mechanism which redirect
user navigation to CAS University site, and proceed only when credentials
are valid. In this way the site that picks the credentials is not an
application site, but it is University CAS itself. The application that uses
University CAS is simply redirecting user navigation, that it takes the

-> Ok for PHP

-> For what concerns Squid helpers, I saw some examples, but most of those
examples are based never-ending loops that wait for standard input and then
proceed with authentication. In this loop, the credentials are picked by
Squid web server. We do not want this. We want credentials to be inputted in
our CAS portal system. But I don't know how to code configuration file for
Squid and related helpers. 

Il 06/09/19 11:16, Amos Jeffries  <squid3 at treenet.co.nz> ha scritto: 
> On 6/09/19 7:50 pm, Dario Basset wrote:
> > My institution has been asked to integrate Squid and CAS. We want to
> > integrate Squid and CAS in its simplest way, that is:
> Details about this CAS ?
>  Does it have a specific name?
>  "CAS" is like saying "proxy" - it is a type.
>  What type(s) of authentication is it doing?
>  What APIs does it provide for checking credentials validity?
>  What APIs does it provide for initial user login?
> Note that all of those 'What ...' questions are plural. Authenticators
> tend to have multiple APIs for each activity.
> > 1) redirect the navigation to the CAS site,
> > 2) let the user input login/password,
> > 3) then, after successfull login, check with PHP all nnecessary
> > permissions,
> FWIW: my advice is to avoid PHP for Squid helpers. That language has
> problems keeping helpers running long-term.
>  <https://wiki.squid-cache.org/Features/AddonHelpers#What_language_are_helper_meant_to_be_written_in.3F>
> > 4) proceed with Squid Proxy.
> > 
> > I can't understand how to code Squid configuration and PHP helpers.
> > I have seen here
> > http://squid-web-proxy-cache.1019090.n4.nabble.com/Need-help-for-ACL-Authentication-web-Form-Cookies-td4555576.html
> > 
> > But I cannot understand how to make it work. Can you please show me a
> > link to simple example?
> All the helpers called "fake" are examples of how to write helpers for
> their Squid helper interface. Which is essentially the same these days
> with a (somewhat) unified protocol they all speak.
> > Or tell me where are samples sources with PHP
> > helpers and SQUID configuration in order ro have the full example working?
> > 
> Not without the details asked for above. The conversation you found
> David and I are mentioning BerkleyDB and SQL helpers. Those are the
> "CAS" we use. The squid.conf part is essentially what you see in that
> thread.
> You will need a helper to access whatever the CAS database is (via any
> API it provides for that access).
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Dario Basset dario.basset at unimi.it 
Direzione Servizio bibliotecario d’Ateneo
Via G. Colombo, 46 02-50315296

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190906/d7864e51/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.jpg
Type: image/jpeg
Size: 15760 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190906/d7864e51/attachment-0001.jpg>

More information about the squid-users mailing list