CAS with PHP on Webserve

Important:
On Webserve, PHP 7.1 will become the default version in spring 2018; however, PHP 5.6 will still be available until it is retired at the end of December 2018. For help specifying which version of PHP to use, see PHP server-side scripting language.

CAS authentication can be used with an existing CAS session. This removes the need for users to enter their credentials if they've already logged into CAS elsewhere.

The following example shows how to restrict a list of users using CAS and PHP.

cas.php

 <?php
 
 session_start();
 
 
  //THIS FUNCTION GETS THE CURRENT URL
  function curPageURL()
  {
    $pageURL = 'http';
    if ($_SERVER["HTTPS"] == "on") {
      $pageURL .= "s://";
      if ($_SERVER["SERVER_PORT"] != "443") {
        $pageURL .= $_SERVER["HTTP_HOST"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
      } else {
        $pageURL .= $_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"];
      }
    } else {
      $pageURL .= "://";
      if ($_SERVER["SERVER_PORT"] != "80") {
        $pageURL .= $_SERVER["HTTP_HOST"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
      } else {
        $pageURL .= $_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"];
      }
    }
    return $pageURL;
  }//END CURRENT URL FUNCTION
 
 
  //THIS FUNCTION SENDS THE USER TO CAS AND THEN BACK
  function cas_authenticate(){
 
    $sid = SID; //Session ID #
 
    //if the last session was over 15 minutes ago
    if (isset($_SESSION['LAST_SESSION']) && (time() - $_SESSION['LAST_SESSION'] > 900)) {
      $_SESSION['CAS'] = false; // set the CAS session to false
    }
 
    $authenticated = $_SESSION['CAS'];
    $casurl = curPageURL();
    $casurl = strtok($casurl, '?');

 
    //send user to CAS login if not authenticated
    if (!$authenticated) {
      $_SESSION['LAST_SESSION'] = time(); // update last activity time stamp
      $_SESSION['CAS'] = true;
      echo '<META HTTP-EQUIV="Refresh" Content="0; URL=https://cas.iu.edu/cas/login?cassvc=IU&casurl='.$casurl.'">';
      //header("Location: https://cas.iu.edu/cas/login?cassvc=IU&casurl=$casurl");
      exit;
    }
 
    if ($authenticated) {
      if (isset($_GET["casticket"])) {
        //set up validation URL to ask CAS if ticket is good
        $_url = 'https://cas.iu.edu/cas/validate';
        $cassvc = 'IU'; //search kb.indiana.edu for "cas application code" to determine code to use here in place of "appCode"
 
        $params = "cassvc=$cassvc&casticket=$_GET[casticket]&casurl=$casurl";
        $urlNew = "$_url?$params";
 
        //CAS sending response on 2 lines. First line contains "yes" or "no". If "yes", second line contains username (otherwise, it is empty).
        $ch = curl_init();
        $timeout = 5; // set to zero for no timeout
        curl_setopt ($ch, CURLOPT_URL, $urlNew);
        curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
        ob_start();
        curl_exec($ch);
        curl_close($ch);
        $cas_answer = ob_get_contents();
        ob_end_clean();
        //split CAS answer into access and user
        list($access,$user) = split("\n",$cas_answer,2);
        $access = trim($access);
        $user = trim($user);
        //set user and session variable if CAS says YES
        if ($access == "yes") {
          $_SESSION['user'] = $user;
        }//END SESSION USER
      } else if (!isset($_SESSION['user'])) { //END GET CAS TICKET
        echo '<META HTTP-EQUIV="Refresh" Content="0; URL=https://cas.iu.edu/cas/login?cassvc=IU&casurl='.$casurl.'">';
        exit;
      }
    }
  }//END CAS FUNCTION
 
  cas_authenticate();
 
  //gets the username from the SESSION variable 'user' created by CAS
  $username = $_SESSION['user'];
 
  //CHANGE THIS LIST TO THE USERS YOU'D LIKE TO HAVE ACCESS
  $users = array("user1", "user2", "user3");
  if(!in_array($username, $users)){
    die("Sorry you do not have access to this page.");
  }
 
  //UNCOMMENT NEXT 3 LINES IF YOU'D LIKE TO RESTRICT TO A SINGLE USER
  //if($username != "user"){
  //  die("Sorry you do not have access to this page.");
  //}
 
 
  ?>

example.php

  <?php include("cas.php"); ?>
  <html>
    <head>
      <title>CAS Example</title>
    </head>
    <body>
      <h1>You're authenticated using CAS!</h1>
    </body>
  </html> 
Note:

To stay informed or provide feedback about Indiana University's Central Authentication Service (CAS), or to ask questions about developing with IU CAS, use the cas-discuss-l mailing list. To subscribe, send email to cas-discuss-l-subscribe@iu.edu.

This is document bfru in the Knowledge Base.
Last modified on 2017-11-15 13:07:44.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.