Additional CAS Setup

For the CAS Authorization Method, the Login URL must usually be HTTPS (a CAS server requirement). It also must point to the actual CAS login service, not a wrapper. This is because the Search Appliance will also map the /login part of the URL to /serviceValidate and other standard CAS services for ticket validation after login. Thus a URL such as https://cas.example.com/cas/login?service=%REFERER% should be used for Login URL for CAS.

The CAS server must also be configured to work with the Search Appliance. When configuring, be sure to use a URL pattern that matches all possible Search Appliance search and admin URLs, e.g. one that matches at least https://appliance.example.com/texis/.... Consult your CAS server documentation for how to configure these items:

  • The Search Appliance must be allowed to use CAS. This typically involves ensuring its URLs (see above) match a list or pattern of permitted URLs. For an Apereo CAS server, this may involve ensuring the serviceId setting of the appropriate config file (e.g. HTTPSandIMAPS-10000001.json) matches Search Appliance URLs. Lack of permission may result in an error such as "Application Not Authorized to Use CAS" from the CAS server when the user attempts to search, and is redirected to the CAS login.

  • The Search Appliance must be allowed to proxy. For Apereo CAS, this may involve setting a proxyPolicy pattern (e.g. via JSON). Lack of proxy permission may result in an error such as INVALID_PROXY_CALLBACK from the Search Appliance during searches.

  • All CAS-protected services that may be walked and appear in Results Authorization search results must allow the Search Appliance to proxy them. For Apereo CAS, this may involve setting the allowedProxyChains parameter in the CAS Validation Filter. Lack of this permission may result in these services always being rejected (via HTTP 500 Server Error) as unauthorized, and not shown in search results.

  • Depending on the CAS server's configuration, the Search Appliance may have to be accessed via an HTTPS/SSL URL. Make sure Enable HTTPS Server is Y under System Wide Settings.

  • The CAS server may also need to trust the Search Appliance's SSL certificate, i.e. have that certificate's CA in its trust store. Lack of trust may also result in an INVALID_PROXY_CALLBACK error.

If encountering problems configuring CAS with Results Authorization, be sure to check the CAS server log files for information that may help diagnose the issue. Also note that Results Authorization with CAS is not currently supported for Meta Search.

Copyright © Thunderstone Software     Last updated: Jul 2 2025

 

Copyright © 2025 Thunderstone Software LLC. All rights reserved.