Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-52448

'Multi-authentication' option on Moodle's CAS set to No causes duplicate HTTP redirects

XMLWordPrintable

    • MOODLE_28_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE
    • Hide

      Prerequisites:

      1. CAS server with SSL (SSO only works with SSL)

      Auth test

      1. As admin, set up CAS auth
      2. Log out
      3. Open the inspector / dev tools with the network tab open so you can view requests
      4. Click 'Log In'
      5. You should be redirected to CAS with a service URL (no gateway flag set)
      6. You should be asked for a user ID / password
      7. You should be able to log in successfully

      SSL Test

      1. Log out of moodle
      2. Go directly to your CAS instance
      3. Log in
      4. Go to moodle
      5. Click log in
      6. You should be logged straight in without having to type a password
      Show
      Prerequisites: CAS server with SSL (SSO only works with SSL) Auth test As admin, set up CAS auth Log out Open the inspector / dev tools with the network tab open so you can view requests Click 'Log In' You should be redirected to CAS with a service URL (no gateway flag set) You should be asked for a user ID / password You should be able to log in successfully SSL Test Log out of moodle Go directly to your CAS instance Log in Go to moodle Click log in You should be logged straight in without having to type a password

      The "gateway" feature of CAS is ostensibly intended for landing pages, in order to (like you've mentioned) implicitly inform the user that they are accessing a given service instead of showing them a possibly less-than-informative login screen with no real information as to what they are logging into (if they've forgotten what link they initially clicked, URL they typed, etc…).

      However, the way some institutions use CAS with their Moodle instance makes the use of this feature rather detrimental…

      There is an oversight with regards to the 'Multi-authentication' option on Moodle's CAS Authentication Plug-in configuration page. When set to 'No', the "gateway" option becomes not only useless in terms of providing any extra functionality, but also harmful in that it is literally doubling the number of HTTP redirects (and ensuing network traffic) of every single authentication handshake (on both ends mind you).

      Here is how it is currently working:

      • User visits Moodle
      • User clicks on 'Log In'
      • User is redirected to CAS with a service URL (with the gateway flag set to true)
      • Because the user is not logged in, user is redirected back to Moodle †
      • Moodle then sees this redirect has no CAS service ticket appended, redirects the user back to CAS (without the gateway flag)
      • CAS sees a valid service login request, and is finally able to ask the user for his/her credentials (since gateway was not set)
      • User logs into CAS using user ID / password
      • CAS redirects to Moodle with service ticket
      • Moodle verifies service ticket with CAS, logs user in

      † if the user is logged in, then the extra redirects are skipped, however, that is an extremely uncommon fringe case in our use… generally speaking the majority of students log in and out at the beginning and end of class, respectively, furthermore the 'already logged in' functionality is identical regardless of the gateway flag's value…)

      Here is how it should be working (since we have 'Multi-authentication' set to 'No'):

      • User visits Moodle
      • User clicks 'Log In'
      • User is redirected to CAS with a service URL (no gateway flag set)
      • Iff the user is not logged into CAS, User logs into CAS using user ID / password
      • CAS redirects to Moodle with service ticket
      • Moodle verifies service ticket with CAS, logs user in

      As you can see, there is no need for the gateway flag in our setup, as it is actually rather detrimental. It is seemingly only useful in the case that Moodle wants to see if the user is already logged into an authentication plug-in (like CAS) but ultimately if the user is not logged in, Moodle wants to offer them another screen with additional options or information before proceeding…

            Unassigned Unassigned
            jrh18 Jason Hardin (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.