Is it possible to skip the CAS login page?

Is it possible to skip the CAS login page?

by Peter de Jong -
Number of replies: 4

When I want to log-in to Moodle I'm taken to my CAS page (note I'm using it with OpenLDAP and PHPLdapAdmin)

The /cas page: https://lunafall-game.com:8443/cas/login (my certificate is momentarily self-signed hence the "security" alert)

I would love to be able to log in on MOODLE and then it automatically logs in on CAS.
Is that possible?

And also, when I successfully login at CAS I'm taken here:

invalid login

But if I successfully login with another account on CAS I'm taken here:

edit profile


I don't understand the difference. Why one LDAP account gives Invalid Login and the other takes me to a Profile page? They're both successful on CAS.

Thank you.

Average of ratings: -
In reply to Peter de Jong

Re: Is it possible to skip the CAS login page?

by Peter de Jong -

One more problem:

If I enter wrong credentials on the CAS page I'm taken back to MOODLE, saying "Invalid Login".
Then if I go to the Moodle home page and click Login, I will not be taken back to CAS. I have to clear my cookies before I'm taken to CAS again.

This seems like a MAJOR issue.

Thank you for the help!

Average of ratings: -
In reply to Peter de Jong

Re: Is it possible to skip the CAS login page?

by Ken Task -
Picture of Particularly helpful Moodlers

For this and for your other posting in this thread, please see the following pages that describe LDAP and CAS.

https://docs.moodle.org/35/en/LDAP_authentication

https://docs.moodle.org/35/en/CAS_server_(SSO)_authentication

Have used LDAP before, but with Microsoft LDAP.   Not used CAS, but have and do use now Oauth2 authentication on sites.

Basically, the authentication server has user profile information ... login name, password, email address, first name, last name, etc.   The profile information has to be mapped to the columns in Moodle's mdl_user table.

Example: moodle has a 'lastname' column.  In LDAP that could be an object called 'surname'.   The mapping configuration for LDAP in Moodle, sets up a relationship between LDAP (surname) and Moodle Users Table (lastname).

The reason one gets thrown into the profile page in Moodle, the authentication server didn't provide profile information Moodle expects ... the 'required' fields for Moodle.   Since that information is not provided by the authentication service, Moodle sends user to their profile page where they can manually add the information.

In the second posting ... you might consider security issues.   Most folks don't set LDAP in the Moodle with the access levels to allow some in Moodle editing/changing their profile information that's contained in LDAP.

Anyway ... read the two links and see how your Moodle is setup to map it's profile (mdl_user table) with objects/fields from the authentication service/server.

'spirit of sharing', Ken



Average of ratings: -
In reply to Ken Task

Re: Is it possible to skip the CAS login page?

by Peter de Jong -

Hi Ken,

Thank you very much for taking the time to write such a detailed reply.

I had looked at those pages previously but I will look at them again.

However, I'm not sure how the mapping relates to the main issues:

  • Is it possible to avoid showing the /cas/login page and to just login into the CAS while on Moodle?
  • Some valid users on CAS (login works) give an "Invalid Login" message on Moodle? Shouldn't Moodle automatically make a new profile if you successfully login on CAS? That's what it does with some valid users, but then it does nothing with other valid users. I don't get it.
  • If someone enters their wrong credentials on /cas/login they're taken back to Moodle and Moodle will never re-direct to /cas/ again. Instead Log In on Moodle goes to its own log in page.

Your guidance is for avoiding the "Update Profile" page. Which is also a very good point and one I will check out, but for now these are the main issues that I need to work out.

Please correct me if I'm mistaken and your post does pertain to the 3 issues mentioned above.

Average of ratings: -
In reply to Peter de Jong

Re: Is it possible to skip the CAS login page?

by Ken Task -
Picture of Particularly helpful Moodlers

There's the 'single sign on' of old ... lan/wan based an began with the workstation 'logging onto the network'.

Then there is the 'single sign on' of new ... internet ... TCP/IP based which, IMHO, is somewhat a mis-nomer, but I guess it's a matter of prior experience/age.

* Is it possible to avoid showing the /cas/login page and to just login into the CAS while on Moodle?

How does either server (cas authentication) or the Moodle know a user has authenticated via CAS?

Now I don't use CAS ... so maybe I shouldn't have responded at all .. but do work with servers that use remote authentications ... LDAP, Oauth2, SAML2 to list them.  While they are not CAS, their behaviors are similar in that the Moodle has to communicate with the authenticating server ... AND ... if the data mappings are not correct, one will get different results ... your issues/errors could be coming from the network layer in a login/authentication sequence or attempt.  Networking is involved in remote authentication ... period.

Moodle does have a sessions time out that is independent of whatever method one has set to communicate.  If the authenticating server is not checked from time to time to see if that user is still authenticated *and* let's Moodle know the users is still authenticated, Moodle session will time out and user will get a notice ... session has timed out.

Work with an entity that uses SAML2.  The entire process must be initiated on the SAML2 server OR *begun* from the Moodle. But, the SAML2 plugin, polls back to SAML2 to update the sessions information ... all day long ... all night long ... IF the user is into Moodle once that day.

Does CAS work that way?

* Some valid users on CAS (login works) give an "Invalid Login" message on Moodle? Shouldn't Moodle automatically make a new profile if you successfully login on CAS? That's what it does with some valid users, but then it does nothing with other valid users. I don't get it.

Would hope that whatever one uses to authenticate, a user gets a single account ... one user ID number in the mdl_user table.  That ID number actually shown in the URL to editing a profile ties that users enrollments in courses and all their activity with a Moodle.   A user that ends up with or more accounts isn't a good thing.

Won't try your number three here ...

Suggestion for you though ...

1. Use something to look at your mdl_user table ... to see what's going on there.

2. turn on debugging ... all the way to developer ... let's see if that will give you some more information about what is going on and why things are behaving the way they are.

No Vulcan Mind Meld is possible in these forums.

Come to think of it ... I shouldn't have responded at all ... but do #1 and #2 suggestions above as an 'Authentications Expert' will hopefully come along and see this thread to 'talk tech' with ya! smile

Outta here ...

'spirit of sharing', Ken


Average of ratings: -