How to use "CAS Jasig" to authenticate users in Vanilla2 forum ?

The goal is to integrate your existing SSO (based on CAS) in a Vanilla2 based forum.

Vanilla2 ProxyConnect plugin

First of all, you need to install the ProxyConnect plugin. Then you have to enable it from the dashboard.

Finally, configure it like that:

Now, you have to setup these "sso scripts".

Scripts contents

The two more importants are sso/authenticate.php and sso/signin.php. These scripts will share some parameters that will be stored in sso/config.php.

sso/config.php

<?php
 
$secret = "zef43kjdf657kjdf243";
 
function getMailFromLogin($login) {
    // TODO: write your own code to search the Mail
    //       corresponding to $login
    // for example, connect to your BDD or LDAP and search in it.
}
 
function getUserIDFromLogin($login) {
    // TODO: write your own code to associate 
    //       a unique numerical id for $login
    // for example, connect to your BDD or LDAP and search in it.
 
    // Or use this very simple code to handle unique id in flat file
    $dbfile = dirname(__FILE__).'/userid.data.php';
    $users = array();
    if (!file_exists($dbfile)) {
        file_put_contents($dbfile, '<?php $users = '.var_export($users, true).';');
    }
    include $dbfile;
    if (!isset($users[$login])) {
        asort($users);
        $maxid = array_pop(array_values(array_slice($users, 1)));
        $users[$login] = $maxid+1;
    }
    file_put_contents($dbfile, '<?php $users = '.var_export($users, true).';');
    return $users[$login];
}

sso/signin.php

This one will redirect user to your SSO in order to get the authenticated login, then it will setup a cookie to communicate this login to the sso/authenticate.php script. It supposes that you have the phpCAS library (CAS client) installed and accessible through your PHP include_path.

<?php
include dirname(__FILE__).'/config.php';
 
include_once('CAS.php');
//phpCAS::setDebug();
phpCAS::client(CAS_VERSION_2_0,'your.sso.domaine',443,'');
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication();
$login = phpCAS::getUser();
 
// setup a secure cookie for login communication to sso-authenticate.php
$hash = base64_encode(sha1($login.$secret).'/'.$login);
setcookie("SSO_ID", $hash, 0, '/');
 
// redirect to the vanilla 2 forum
$url = ($_SERVER['HTTPS'] == 'on' ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST'].'/'.(isset($_GET['r'])?$_GET['r']:'/');
$url = rtrim($url, '/');
header('Location: '.$url);

sso/authenticate.php

This script get the cookie previously setup by sso/signin.php to extract the login value. Then it searches for a unique id and for the user's mail. And finally it returns result as vanilla2 is waiting for.

Notice : this script will be called directly by vanilla after sso/signin.php is called. This script is never loaded be the user's browser.

<?php
 
include dirname(__FILE__).'/config.php';
 
if (!isset($_COOKIE['SSO_ID'])) {
    die();
}
 
$hash   = explode('/',base64_decode($_COOKIE['SSO_ID']));
if ($hash[0] == sha1($hash[1].$secret)) {
    $login  = $hash[1];
} else {
    die();
}
 
 
$login  = strtolower($login);
$id     = getUserIDFromLogin($login);
$mail   = getMailFromLogin($login);
 
if (!$login || !$mail || !$id) {
    die();
}
 
?>
UniqueID=<?php echo $id; ?> 
Name=<?php echo $login; ?> 
Email=<?php echo $mail; ?> 

sso/signout.php

This script will just destroy the vanilla cookie and the SSO cookie.

<?php
 
setcookie('Vanilla', ' ', time() - 3600, '/');
setcookie('SSO_ID', ' ', time() - 3600, '/');
 
// redirect to the vanilla home
header('Location: '.($_SERVER['HTTPS'] == 'on' ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST'].'/');

Attention: create a blank file favicon.ico in your vanilla root directory if you want to be able to logout.

sso/register.php

This script should redirect to your centralized user registration url…

header('Location: http://your-registration-url');