For the CAS Authorization Method, the Login URL must
usually be HTTPS (a CAS server requirement). It also must point to
the actual CAS login service, not a wrapper. This is because
Webinator will also map the /login part of the URL to /serviceValidate and other standard CAS services for ticket
validation after login. Thus a URL such as https://cas.example.com/cas/login?service=%REFERER% should be
used for Login URL for CAS.
The CAS server must also be configured to work with Webinator.
When configuring, be sure to use a URL pattern that matches all
possible Webinator search and admin URLs, e.g. one that
matches at least
Consult your CAS server documentation for how to configure these items:
- Webinator must be allowed to use CAS. This typically
involves ensuring its URLs (see above) match a list or pattern of
permitted URLs. For an Apereo CAS server, this may involve
ensuring the serviceId setting of the appropriate config
file (e.g. HTTPSandIMAPS-10000001.json) matches
Webinator URLs. Lack of permission may result in an error
such as "Application Not Authorized to Use CAS" from the
CAS server when the user attempts to search, and is redirected to
the CAS login.
- Webinator must be allowed to proxy. For Apereo CAS, this
may involve setting a proxyPolicy pattern (e.g. via JSON).
Lack of proxy permission may result in an error such as INVALID_PROXY_CALLBACK from Webinator during searches.
- All CAS-protected services that may be walked and appear in
Results Authorization search results must allow Webinator to
proxy them. For Apereo CAS, this may involve setting the allowedProxyChains parameter in the CAS Validation Filter.
Lack of this permission may result in these services always being
rejected (via HTTP 500 Server Error) as unauthorized, and not
shown in search results.
- Depending on the CAS server's configuration, Webinator may
have to be accessed via an HTTPS/SSL URL.
- The CAS server may also need to trust Webinator's SSL
certificate, i.e. have that certificate's CA in its trust store.
Lack of trust may also result in an INVALID_PROXY_CALLBACK error.
If encountering problems configuring CAS with Results Authorization,
be sure to check the CAS server log files for information that may
help diagnose the issue. Also note that Results Authorization with
CAS is not currently supported for Meta Search.
Copyright © Thunderstone Software Last updated: Aug 4 2020