Menu

Integrate CAS with ASP.NET Applications

March 3, 2015 by Christopher Sherman

The CAS authentication system started as a project at Yale University and is now used by a number of higher education institutions. The CAS NuGet package, authored by Jasig, provides CAS authentication for ASP.NET applications. In this tutorial I’ll explain my process for integrating CAS with modern MVC applications.

Install the Client

Open your project in Visual Studio. From the main menu, select Tools > NuGet Package Manager > Package Manager Console. In the console type the following command to install the .NET CAS client:

Install-Package DotNetCasClient

Configuration

CAS integration takes place in the Web.configfile. I prefer to use configuration transformations that allow me to have different configuration values in debug and release environments. For example, I may want to test CAS on a server with a different URL from production. Rather than continually updating Web.config, I use the Web.Debug.config and Web.Release.config files to update this for me depending on the publish configuration I select. If you’d rather set your configuration once in Web.config, just remove the xtd attributes from the example below.

<?xml version="1.0"?>

<!-- For more information on using Web.config transformation visit http://go.microsoft.com/fwlink/?LinkId=301874 -->
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">

  <!-- CAS Configuration -->

<system.web>
<httpModules xdt:Transform="Insert">
<add name="DotNetCasClient" type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient" />
</httpModules>
</system.web>

  <!-- /CAS Configuration -->

  <!-- CAS Configuration -->

<system.webServer>
<modules xdt:Transform="Insert">
<remove name="DotNetCasClient" />
<add name="DotNetCasClient" type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient" />
</modules>
</system.webServer>

  <!-- /CAS Configuration -->

  <!-- CAS Configuration -->
  <configSections>
    <section xdt:Transform="Insert" name="casClientConfig" type="DotNetCasClient.Configuration.CasClientConfiguration, DotNetCasClient" />
  </configSections>
  <!-- /CAS Configuration -->

  <!-- CAS Configuration -->

<casClientConfig xdt:Transform="Insert"
                   casServerLoginUrl="https://authserver.example.edu/login"
                   casServerUrlPrefix="https://authserver.example.edu"
                   serverName="https://appserver.example.edu"
                   notAuthorizedUrl="~/Home/NotAuthorized"
                   cookiesRequiredUrl="~/Home/CookiesRequired"
                   redirectAfterValidation="true"
                   gateway="false" renew="false"
                   singleSignOut="true"
                   ticketTimeTolerance="5000"
                   ticketValidatorName="Saml11"
                   serviceTicketManager="CacheServiceTicketManager"
                   gatewayStatusCookieName="CasGatewayStatus" />

  <!-- /CAS Configuration -->
</configuration>

Unfortunately, I’ve found that not all configuration can take place via transformations. Add these configuration properties to your Web.config.

<configuration>
<appSettings>
<!-- CAS Configuration -->
<add key="enableSimpleMembership" value="false" />
<add key="autoFormsAuthentication" value="false" />
<!-- /CAS Configuration -->
</appSettings>

<system.web>
<!-- CAS Configuration -->
<authentication mode="Forms">
<!--<forms loginUrl="~/Account/Login" timeout="2880" />-->
<forms loginUrl="https://auth.vt.edu" cookieless="UseCookies" />
</authentication>
<!-- /CAS Configuration -->
</system.web>

<system.webServer>
<!-- CAS Configuration -->
<validation validateIntegratedModeConfiguration="false" />
<!-- /CAS Configuration -->
</system.webServer>
</configuration>

For information about specific configuration options, visit the .NET CAS client documentation.

Forcing the Application to Authenticate

To use CAS, you must require your application to use HTTPS and force requests into the authorization pipeline. Under App_Start, open FilterConfig.cs and add the following two filters:

filters.Add(new System.Web.Mvc.AuthorizeAttribute());
filters.Add(new RequireHttpsAttribute());

When you run your application, it should now require you log in with CAS.

Since CAS at Virginia Tech requires a vt.edu domain, even in test, working with CAS can be frustrating when you just need to debug a simple aspect of your application. To address this issue, you can modify your filters not to run when being debugged in Visual Studio.

if (!HttpContext.Current.IsDebuggingEnabled)
{
filters.Add(new System.Web.Mvc.AuthorizeAttribute());
filters.Add(new RequireHttpsAttribute());
}

ASP Dot Net MVC