Content
OmniAuth CAS Single-Sign On Strategy
The core OmniAuth integration in the upcoming OpenProject 4.x finally allows external authentication schemes for project management.
With the upcoming release, I present our use-case and plugin at the Technische Universität Darmstadt.
A thanks to the team for the integration and especially for the amazingly simple strategy base plugin openproject-auth_plugins (to Markus et. al)
OpenProject Auth-CAS
This plugin serves as a wrapper to the OmniAuth CAS strategy for use within OpenProject.
More details at:
https://github.com/oliverguenther/openproject-auth_cas
Use case at the Technische Universität Darmstadt
The HRZ at the TU-Darmstadt employs the JaSig Central Authentication Service (CAS) as the primary method of campus authentication through Single-Sign On.
The auth plugin (using a custom icon) integrates nicely with the OpenProject login pane.
One remaining question, not entirely related to plugins: What options exist for the first authentication hook ? The default seems to be to mark the account registered and ready for review by an administrator.
Is there a way to set accounts ‘imported’ from CAS / other external providers as active?
Replies (15)
Hey Oliver,
good work with your plugin!
As for your remaining question: That depends on your instance settings.
You can enable automatic registration under
Administration -> Settings -> Authentication:This way accounts created through OmniAuth will be activated automatically. Then again this also allows for users registering manually by username and password to be activated automatically.
Though I wonder if you could just disable the normal registration for HRZ then.
Have you seen the configuration options omniauth_direct_login_provider and disable_password_login ?
The latter will disable registration and login via username and password and will only leave OmniAuth authentication enabled:
The former will skip the selection altogether and will use whatever provider, for instance CAS, directly when you click on Sign in.
If you still want to support both conventional registration and login via username and password, and OmniAuth providers, you could register a hook and activate the account if it’s not active yet and comes from CAS. For that you could write the following (untested) initializer in your plugin, although it is a bit of a hack:
initializer "cas.evil_hack" do Concerns::OmniauthLogin.module_eval do def authorization_successful_with_activation(user, auth_hash) if auth_hash[:provider] == 'cas' user.activate! end authorization_successful_without_activation user, auth_hash end alias_method_chain :authorization_successful, :activation end endOf course this isn’t necessarily a good idea as it relies on implementation details. It would be better to use a provided API.
Unfortunately there isn’t a hook you could use for that, yet. There is a user authorization hook but it’s only called with the omniauth hash and not with the user. If we would pass the user there as well you could use that.
Hi Markus,
thanks for your reply. I’ve noticed both mentioned parameters, but it is indeed the third option that matches our previous implementation.
I will discuss the option of removing password-based logins all together and otherwise resort to the evil hack for the time being ;)
Nonetheless, I formalized the requirement of the third option as a user story in https://www.openproject.org/work_packages/15825
Hi,
I'm trying to integrate cas on OpenProject 8.2. I think this plugin is outdated. Is there a new way to do that? I could integrate OpenIdConnect but can't find a way for CAS. I will be glad for any help!
Best,
-Beraat
What makes you think it's outdated? The method it uses is still valid.
Thank you for your answer Oliver. I followed the tutorial but when i try to start the server i get the error: NameError: uninitialized constant OpenProject::Plugins::AuthPlugin. That's why i thought there is something missing.
Oliver Günther wrote:
Hello, I confirm the issue with 8.2 I've updated today from 8.1 and I have the same error:
I've created an issue in the github repo of the plugin.
https://github.com/oliverguenther/openproject-auth_cas/issues/3
Hello Kim,
I placed the following gem in the last line of Gemfile.modules and problem solved. Before I was adding it to Gemfile.plugins and it was causing problem. Hope it helps you too.
Best,
-Beraat
Kim Serradell wrote:
Berat! Thanks for your reply!
In my case, I've modified the plugin and it also works. I've contacted the developer but I did not get any answer.
Anyway, is working!
I'm glad you made it work Kim. I want to ask you a question about another issue maybe you have also faced. I configured SSL on my server and now it's served with "https". But when i return from CAS server after login, OpenProject gives Internal Error and on logs it says "OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)):". Have you ever had this problem or do you have any idea how I can solve it?
Best,
Beraat
Kim Serradell wrote:
No. Our integration with CAS worked from the beggining over HTTPS. We only had to work on the attibutes (we are not following the standards). Are you using same certificates?
What do you mean same certificates? I created certificates using LetsEncrypt. I called "openproject reconfigure", enabled SSL and filled certificate paths. And then restarted OpenProject but faced the issue that i mentioned.
Kim Serradell wrote:
I have included the fix by Kim into the plugin and released it as 0.1.1
Best,
Oliver
Hello,
First off, thanks to this thread and the OmniAuth CAS strategy project on GitHub I was able to successfully create my first OpenProject Authentication plugin implementing the OmniAuth SAML strategy. I am however running into a problem. I apologize if the answer to this query is obvious, but this is my first experience with Ruby.
I am attempting to automatically activate users that are created and through OmniAuth, using the “cas.evil_hack” initializer presented above as I don’t see a way to implement it otherwise. I add the following code to my module:
initializer "omax_saml.activate_user" do Concerns::OmniauthLogin.module_eval do def authorization_successful_with_activation(user, auth_hash) # if this user is coming in via the SAML provider # and it's a new record, activate it if auth_hash[:provider] == 'omax_saml' && user.new_record? fill_user_fields_from_omniauth(user, auth_hash) # triggers a save that bypasses model validation user.activate! end # fall through to the old method to finish processing the login authorization_successful_without_activation user, auth_hash end alias_method :authorization_successful_without_activation, :authorization_successful alias_method :authorization_successful, :authorization_successful_with_activation end endHowever, once I add the Concerns::OmniauthLogin.module_eval line to my initializer I am unable to start the development as it presents the following error:
I researched the error and found a common solution to this problem is accidentally requiring a file that is auto-loaded by the Rails’ autoloading rules.
Tracing through the code I found the following 2 require statements of the omniauth_login file:
require 'concerns/omniauth_login'I did some testing and commenting out these lines resolves the error, my alias_method commands work, and the system behaves like I want (users authenticated via my SAML strategy implementation are automatically registered. I also don't appear to have any other errors relating to removing the require statements (possibly because my module is doing the require very early in the application lifecycle). My question is, what is the appropriate way to solve this problem?
Any guidance would be appreciated.
Thanks,
Bryce
Hello.
I've upgraded OpenProject to version 10. Everything went fine but CAS login is not longer avaialable. In logs I see:
This was not listed in https://www.openproject.org/release-notes/openproject-10-0-0/
What can I do to have CAS login again?
I can not restore the 9 version because I forgot to make a backup...
Thanks,
KiM