General Settings
CAS Server base url
This is the url of your cas server like this :
CAS Version protocol
If you want to retrieve CAS User attribute from CAS Ticket, you must set to 3. So, the plugin query CAS Server to p3/serviceValidate url. But if your CAS Server don’t support CAS protocol version 3 set to 2.
Disable CAS Authentication
Check this option if you want temporarely deactivate CAS Authentication on your blog.
Create user if not exist
If user is successfully authenticated by CAS Server, wordpress local account is created if you have check this option.
SSL Cipher used for query CAS Server with HTTP Webrequest
This is the Cipher used by cURL to validate Service Ticket.
Url Settings
Service logout redirect url
This is the url where user is redirected when he is disconnected from CAS Server. The blog home url is used when this option is not set .Url where the CAS Server redirect after logout. CAS Server must be configured correctly (see : followServiceRedirects option in JASIG documentation)
OVERRIDE SERVICE CALLBACK URL
This option is very useful when you have multisite subdomain configuration and when you want to configure only one json service restriction file (one for parent domain) and not use wildcard.
https://www.dev.lan/?wp_cassify_redirect_to={WP_CASSIFY_CURRENT_SERVICE_URL}
WP_CASSIFY_CURRENT_SERVICE_URL is replaced on the fly by current url.
The service restriction file located in /tomcat8/webapps/cas/WEB-INF/classes/services/www.dev.lan.json :
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^(http|https)://www\\.dev\\.lan/.*",
"name" : "www.dev.lan",
"id" : 100,
"description" : "Acces aux blogs WordPress",
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "first_name", "last_name", "email", "company", "website", "country", "title" ] ]
}
}
For example with :
- blog1.dev.lan
- blog2.dev.lan
When you try to connect to https://blog1.dev.lan/wp-admin, you’re redirected to https://www.dev.lan/?site=https://blog1.dev.lan/wp-admin
Then, in template of parent domain blog of your WordPress network (in my case https://www.dev.lan), in index.php file, put code below to perform redirection :
$wp_cassify_redirect_to = get_query_var( 'wp_cassify_redirect_to', false );
if ( $wp_cassify_redirect_to != false ) {
wp_redirect( $wp_cassify_redirect_to );
}
Name of the login servlet
Do not change. Only if you have customized your CAS server.
Name of the logout servlet
Do not change. Only if you have customized your CAS server.
Name of the serviceValidate servlet
Do not change. Only if you have customized your CAS server.
Attributes extraction Settings
Xpath query used to extract cas user id during parsing
You can define the xpath query used to extract user id during parsing xml CAS Server response.
For example, if your CAS Ticket Structure is like this :
<cas:serviceResponse xmlns:cas=’http://www.yale.edu/tp/cas’>
<cas:authenticationSuccess>
<cas:user>m.brown01</cas:user>
<cas:attribute name=”identity” value=”Brown, Mike”/>
<cas:attribute name=”email” value=”brown.mike@my-university.fr”/>
</cas:authenticationSuccess>
</cas:serviceResponse>
This is the Xpath query to extract user id :
//cas:serviceResponse/cas:authenticationSuccess/cas:user
Xpath query used to extract cas user attributes during parsing
You can define the xpath query used to extract user attributes during parsing xml CAS Server response.
For example, if your CAS Ticket Structure is like this :
<cas:serviceResponse xmlns:cas=’http://www.yale.edu/tp/cas’>
<cas:authenticationSuccess>
<cas:user>m.brown01</cas:user>
<cas:attribute name=”identity” value=”Brown, Mike”/>
<cas:attribute name=”email” value=”brown.mike@my-university.fr”/>
</cas:authenticationSuccess>
</cas:serviceResponse>
This is the Xpath query to extract user id :
//cas:serviceResponse/cas:authenticationSuccess/cas:attribute
Cas user attributes you want to populate into session
You want to populate CAS user attributes into session, you must declare them. You must write attribute name separated by comma like this : attribute_1,attribute_2,attribute_3.
Then you can access with this variable. This is an associative array.
<?php if ( isset($GLOBALS['wp-cassify']) ) { print_r( $GLOBALS['wp-cassify']->wp_cassify_get_cas_user_datas() );
}
?>
AUTHORIZATION RULES SETTINGS
Order Allow/Deny
The order to process authorization rules.
Authorization rule syntax
Operators allowed
-EQ, -NEQ, -CONTAINS, -STARTWITH, -ENDWITH, -AND, -OR, -IN, -NOTIN
CAS Variables wrapping modele
CAS{cas_user_id}
CAS{mail}
CAS Variable must always be the left operand.
Parenthesis level
- There are two level parenthesis maximum. One operator per parenthesis group like this.
(… -AND …)
- Two level parenthesis maximum are allowed. The first with square brackets and the sub-level with brackets like this :
[(…-OR…) -AND (…-AND…)]
Examples
- Simple condition
(CAS{cas_user_id} -EQ “mbrown”)
- Many conditions
(CAS{cas_user_id} -EQ “mbrown”) -AND (CAS{email} -CONTAINS “my-university.fr”)
- Complex rule
[(CAS{cas_user_id} -EQ “mbrown”) -AND (CAS{email} -CONTAINS “my-university.fr”)] -OR (CAS{cas_user_id} -STARTWITH “test”)
You can test autorization rules with test.php script inside the plugin folder. This script must be launch via php-cli. In this script, you can create mock-object to debug rule.
White List URL(s)
You can set many URL(s) that you don’t want they are fired by CAS Authentication. URL(s) must be separated by ‘;’. Like this :
http://my-blog-url/my-first-page;http://my-blog-url/my-second-page
USER ROLES SETTINGS
Examples :
If you select Administrator role with this rule, Administrator role is pushed to user “rlong7” .
(CAS{cas_user_id} -EQ “rlong7”)
USER ATTRIBUTES SYNCHRONIZATION SETTINGS
With theses settings, you can map CAS user attributes values inside WordPress user meta like user_nicename, user_email. WordPress custom user metas are also supported.
TIPS AND TRICKS
Gateway mode : detect if user has already authenticated by CAS from your public pages and perform auto-login.
See : https://wiki.jasig.org/display/CAS/gateway
To use gateway mode, put this code in your index.php or in another template file inside your theme :
if ( (! is_user_logged_in() ) && (! get_query_var( 'wp_cassify_bypass' ) ) ){
if ( isset($GLOBALS['wp-cassify']) ) {
$GLOBALS['wp-cassify']->wp_cassify_check_authentication();
}
}
else if ( ! is_user_member_of_blog() ) {
if ( isset($GLOBALS['wp-cassify']) ) {
$GLOBALS['wp-cassify']->wp_cassify_check_authentication();
}
}
WP Cassify, a WordPress CAS Plugin 