Skip to end of metadata
Go to start of metadata
Table of Contents
The Jasig .NET CAS client provides CAS integration for the Microsoft Windows platform via the .NET framework.

Download

Version 1.0 (2010-12-10)

Release Candidate 1 (2010-11-16)

Previous Snapshots

NuGet Installation

NuGet packages for the .NET client are available at http://www.nuget.org/List/Packages/DotNetCasClient.

Features

  • Supports CAS Protocol 1.0 and 2.0 and SAML 1.1
  • Supports CAS single sign-out
  • Rich support for Microsoft ASP.NET platform integration through Forms Authentication framework

Integration Instructions

The .NET CAS client integrates with ASP.NET applications by customizing the application web.config file. The client is implemented as an ASP.NET IHttpModule, CasAuthenticationModule, that provides hooks into the ASP.NET request/response pipeline through lifecycle events. This provides a familiar configuration path for client integration, including the following:

  • Custom casClientConfig section containing CAS-specific configuration parameters that apply to CasAuthenticationModule
  • ASP.NET forms authentication
  • Registration of CasAuthenticationModule
  • Authorization configuration
  • Logging configuration (optional)

The CasAuthenticationModule must be made available to the application via the familiar process for .NET assemblies; either of the following is sufficient:

  1. Ensure it is deployed to the /Bin directory of the Web application
  2. Add it to the .NET Global Assembly Cache

Configure CasAuthenticationModule

Define the casClientConfig configuration section:

Register casClientConfig Section

Place a <casClientConfig> configuration element directly under the root <configuration> element. The position of the <casClientConfig> element in the web.config file is unimportant.

Demonstrative casClientConfig

The following attributes are supported in the casClientConfig configuration section.

casServerLoginUrl
REQUIRED
URL of CAS login form.

serverName
REQUIRED
Host name of the server hosting this application. This is used to generate URLs that will be sent to the CAS server for redirection. The CAS server must be able to resolve this host name. If your web application is behind a load balancer, SSL offloader, or any other type of device that accepts incoming requests on behalf of the web application, you will generally need to supply the public facing host name unless your CAS server is in the same private network as the application server. The protocol prefix is optional (http:// or https://). If you are using a non-standard port number, be sure to include it (i.e., server.school.edu:8443 or https://server.school.edu:8443). Do not include the trailing backslash.

casServerUrlPrefix
REQUIRED
URL to root of CAS server application.

ticketValidatorName
REQUIRED
Name of ticket validator that validates CAS tickets using a particular protocol. Valid values are Cas10, Cas20, and Saml11.

gateway
OPTIONAL
Enable CAS gateway feature, see http://www.jasig.org/cas/protocol section 2.1.1. Default is false.

renew
OPTIONAL
Force user to reauthenticate to CAS before accessing this application. This provides additional security at the cost of usability since it effectively disables SSO for this application. Default is false.

singleSignOut
OPTIONAL
Enables this application to receive CAS single sign-out messages sent when the user's SSO session ends. This will cause the user's session in this application to be destroyed. Default is true.

ticketTimeTolerance
OPTIONAL
Adds the given amount of tolerance in milliseconds to the client system time when evaluating the SAML assertion validity period. This effectively allows a given amount of system clock drift between the CAS client and server. Increasing this may have negative security consequences; we recommend fixing sources of clock drift rather than increasing this value. This configuration parameter is only meaningful in conjunction with ticketValidatorName="Sam11".

notAuthorizedUrl
OPTIONAL
The URL to redirect to when the request has a valid CAS ticket but the user is not authorized to access the URL or resource. If this option is set, users will be redirected to this URL. If it is not set, the user will be redirected to the CAS login screen with a Renew option in the URL (to force for alternate credential collection).

serviceTicketManager
OPTIONAL
The service ticket manager to use to store tickets returned by the CAS server for validation, revocation, and single sign out support. Without a ticket manager configured, these capabilities will be disabled. Valid value is CacheTicketManager.

proxyTicketManager
OPTIONAL
The proxy ticket manager to use to maintain state during proxy ticket requests. Without a proxy ticket manager configured your application will not be able to issue proxy tickets.

gatewayStatusCookieName
OPTIONAL
The name of the cookie used to store the Gateway status (NotAttempted, Success, Failed). This cookie is used to prevent the client from attempting to gateway authenticate every request. Default value is cas_gateway_status.

cookiesRequiredUrl
OPTIONAL
The URL to redirect to when the client is not accepting session cookies. This condition is detected only when gateway is enabled. This will lock the users onto a specific page. Otherwise, every request will cause a silent round-trip to the CAS server, adding a parameter to the URL.

Register CasAuthenticationModule

Register CasAuthenticationModule with the ASP.NET pipeline by adding it to the <system.web><httpModules> and <system.webServer><modules> sections as demonstrated in the following configuration blocks.

Register with httpModules Section
Register with modules Section

Configure ASP.NET Forms Authentication

Configure the ASP.NET Forms authentication section, <forms>, so that it points to the login URL of the CAS server defined in the casServerLoginUrl attribute of the casClientConfig section. It is vitally important that the CAS login URL is the same in both locations.

Configure Forms Element

Configure Authorization

Configure authorization roles and resources using the familiar ASP.NET directives. We recommend the user of a role provider that queries a role store given the principal name returned from the CAS server. There is not support at present for extracting authorization data from the attributes released from CAS via the SAML protocol.

Configure Diagnostic Tracing (optional)

CasAuthenticationModule uses the .NET Framework System.Diagnostics tracing facility for internal logging. Enabling the internal trace switches should be the first step taken to troubleshoot integration problems.

TRACE Compiler Option

Icon

System.Diagnostics tracing requires that the source be compiled with the /TRACE compiler option in order to produce output to trace listeners. The binary distributions of CAS provided here are compiled in DEBUG mode with the /TRACE option enabled.

The following web.config configuration section provides a sample trace configuration that should be used to troubleshoot integration problems.

Recommended system.diagnostics Section for Troubleshooting CAS Integration Problems

The configuration above will produce trace output to the file C:\inetpub\logs\LogFiles\DotNetCasClient.Log. This file path is only representative; a convenient and accessible path should be chosen based on deployer requirements.

File Permissions

Icon

The application pool in which the CAS-enabled .NET application runs must execute under a user with permission to create and write the trace log file.

  • No labels

8 Comments

  1. It looks like the examples are out synch with the releases.

    I am getting an error 'The method or operation is not implmented' The error is occuring in

     

    Locating source for 'C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\Security\CasPrincipal.cs'. Checksum: MD5 {41 59 e6 3a 83 fe b7 c7 a1 72 ce cf 38 a 17 d8} The file 'C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\Security\CasPrincipal.cs' does not exist. Looking in script documents for 'C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\Security\CasPrincipal.cs'... Looking in the projects for 'C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\Security\CasPrincipal.cs'. The file was not found in a project. Looking in directory 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\crt\src\'... Looking in directory 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\src\mfc\'... Looking in directory 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\src\atl\'... Looking in directory 'C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\'... The debug source files settings for the active solution indicate that the debugger will not ask the user to find the file: C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\Security\CasPrincipal.cs. The debugger could not locate the source file 'C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\Security\CasPrincipal.cs'.

     

    What I see in source control is a build that would upload the roles from the example file.  That code was checked in on 9-15-2011 your last release for the dll was 12-10-2010. 

    When will everything be in synch?

    Is this an active code line?

  2. As a feature request it would be nice if the ServerName element was not required on the casClientConfig, and if it's left blank the current application url is used.

  3. User support is provided via the CAS user mailing list, cas-user@lists.jasig.org.  Feature requests may be discussed on the user or dev (cas-dev@lists.jasig.org) mailing lists, or created directly in the project Jira space, NETC.

  4. Yew

    I'm a newbies in CAS. I'm trying to replicate a simple jsp script function in retrieving SAML customer attribute but with no luck.

    I was redirected from SAML 1.1 page here to get more info on Requesting SAML but

    i have not see in any where say it support SAML protocal. Can anyone shed some light on

    how to use .net CAS client to retrieve a simple custom attribute key value pair. 

    This client should be easy and straight forward to use. Thanks feedback are appreciated.

    BTW this is the jsp script snippet i referencing.

    <%

    AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal();

    Map attributes = principal.getAttributes();

    Iterator attributeNames = attributes.keySet().iterator();

    out.println("<table>");

    for (; attributeNames.hasNext();) {

    out.println("<tr><th>");

    String attributeName = (String) attributeNames.next();

          out.println(attributeName);

          out.println("</th><td>");

          Object attributeValue = attributes.get(attributeName);

          out.println(attributeValue);

          out.println("</td></tr>");

    }

    out.println("</table>");

    %>

     

  5. Hello - trying to add the client to the .NET Global Assembly Cache per the instruction above, but am getting an error that the assembly does not have a strong name. Is there anyway to get the current version signed?
    Or will I be relegated to this: http://social.msdn.microsoft.com/Forums/en-US/clr/thread/35930958-9775-4e56-bd38-0362d124ffc4/

    Thanks,

  6. I've been trying to reproduce the example with the web application that comes in the "dotnet-client-1.0-Src.zip" file. I added the web application to an IIS 7 and I'm always getting the same error. This is the code of the error: 0x80070021. 

    I've tried to fix it following some advices that I found on Google (like putting overrideModeDefault="Allow"), but it doesn't work. Can someone help me??? Thanks.

  7. While working with the DotNetCasClient I've notice that when setting the ticketValidationName = "Cas20", no attributes are coming through.  With further investigation I've found that in the method ParsResponseFromServer in the Cas20ServiceTicketValidator class, it is only parsing the user name and testing if the user has been CAS authenticated and omitting the attributes all together.  Was there a reason for not parsing the response xml to get the attributes?  Will Cas20 support attributes in next releases?

     

  8. I have set up the CAS .NET client as instructed in this Wiki, however when a user enters their credentials into the CAS logon page they get redirected back to the logon page, rather than to our web application.

    We have experimented with the php CAS client, using the same CAS instance and redirection is working nicely. We noticed that the query string passed to the CAS logon page is different when using the .NET client; the redirect URL query string parameter has a name of TARGET, whereas when using the php CAS client it has a name of service. Is this significant?

    Is this Wiki page complete and accurate?

    We are using CAS 4.0 rc2, with SAML.