====== How to use "CAS Jasig" to authenticate users in Vanilla2 forum ?   ======

The goal is to integrate your existing SSO (based on [[http://www.jasig.org/cas|CAS]]) in a [[http://vanillaforums.org/|Vanilla2]] based forum.

===== Vanilla2 ProxyConnect plugin =====

First of all, you need to install the [[http://vanillaforums.org/addon/472/vanilla-proxyconnect|ProxyConnect]] plugin. Then you have to enable it from the dashboard.

Finally, configure it like that:
^ Main Site URL | ''http://your-vanilla2-web-site/'' |
^ Authenticate URL | ''http://your-vanilla2-web-site/sso/authenticate.php'' |
^ Registration URL | ''http://your-vanilla2-web-site/sso/register.php'' |
^ Sign-In URL | ''http://your-vanilla2-web-site/sso/signin.php'' |
^ Sign-Out URL | ''http://your-vanilla2-web-site/sso/signout.php'' |

Now, you have to setup these "sso scripts".

===== Scripts contents =====

The two more importants are ''sso/authenticate.php'' and ''sso/signin.php''. These scripts will share some parameters that will be stored in ''sso/config.php''.

==== sso/config.php ====

  * ''$secret'' is a private key, it is used to secure the cookie between ''signin.php'' and ''authenticate.php''. 
  * ''getMailFromLogin($login)'' is used to return the mail address corresponding to the login (write your own)
  * ''getUserIDFromLogin($login)'' is used to return a unique id to identified your login in the vanilla2 bdd

<code php>
<?php

$secret = "zef43kjdf657kjdf243";

function getMailFromLogin($login) {
    // TODO: write your own code to search the Mail
    //       corresponding to $login
    // for example, connect to your BDD or LDAP and search in it.
}

function getUserIDFromLogin($login) {
    // TODO: write your own code to associate 
    //       a unique numerical id for $login
    // for example, connect to your BDD or LDAP and search in it.
 
    // Or use this very simple code to handle unique id in flat file
    $dbfile = dirname(__FILE__).'/userid.data.php';
    $users = array();
    if (!file_exists($dbfile)) {
        file_put_contents($dbfile, '<?php $users = '.var_export($users, true).';');
    }
    include $dbfile;
    if (!isset($users[$login])) {
        asort($users);
        $maxid = array_pop(array_values(array_slice($users, 1)));
        $users[$login] = $maxid+1;
    }
    file_put_contents($dbfile, '<?php $users = '.var_export($users, true).';');
    return $users[$login];
}

</code>

==== sso/signin.php ====

This one will redirect user to your SSO in order to get the authenticated login, then it will setup a cookie to communicate this login to the ''sso/authenticate.php'' script. It supposes that you have the [[https://wiki.jasig.org/display/CASC/phpCAS|phpCAS]] library (CAS client) installed and accessible through your PHP include_path.

<code php>
<?php
include dirname(__FILE__).'/config.php';

include_once('CAS.php');
//phpCAS::setDebug();
phpCAS::client(CAS_VERSION_2_0,'your.sso.domaine',443,'');
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication();
$login = phpCAS::getUser();

// setup a secure cookie for login communication to sso-authenticate.php
$hash = base64_encode(sha1($login.$secret).'/'.$login);
setcookie("SSO_ID", $hash, 0, '/');

// redirect to the vanilla 2 forum
$url = ($_SERVER['HTTPS'] == 'on' ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST'].'/'.(isset($_GET['r'])?$_GET['r']:'/');
$url = rtrim($url, '/');
header('Location: '.$url);
</code>

==== sso/authenticate.php ====


This script get the cookie previously setup by ''sso/signin.php'' to extract the login value. Then it searches for a unique id and for the user's mail. And finally it returns result as vanilla2 is waiting for.

__Notice__ : this script will be called directly by vanilla after ''sso/signin.php'' is called. This script is never loaded be the user's browser.

<code php>
<?php

include dirname(__FILE__).'/config.php';

if (!isset($_COOKIE['SSO_ID'])) {
    die();
}

$hash   = explode('/',base64_decode($_COOKIE['SSO_ID']));
if ($hash[0] == sha1($hash[1].$secret)) {
    $login  = $hash[1];
} else {
    die();
}


$login  = strtolower($login);
$id     = getUserIDFromLogin($login);
$mail   = getMailFromLogin($login);

if (!$login || !$mail || !$id) {
    die();
}

?>
UniqueID=<?php echo $id; ?> 
Name=<?php echo $login; ?> 
Email=<?php echo $mail; ?> 
</code>

==== sso/signout.php ====

This script will just destroy the vanilla cookie and the SSO cookie.
<code php>
<?php

setcookie('Vanilla', ' ', time() - 3600, '/');
setcookie('SSO_ID', ' ', time() - 3600, '/');

// redirect to the vanilla home
header('Location: '.($_SERVER['HTTPS'] == 'on' ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST'].'/');
</code>

<note warning>Attention: create a blank file ''favicon.ico'' in your vanilla root directory if you want to be able to logout.</note>

==== sso/register.php ====

This script should redirect to your centralized user registration url...

<code php>
header('Location: http://your-registration-url');
</code>


{{tag>article computing sso cas vanilla forum}}
~~DISCUSSION~~