Bug #13524

CAS authentication service string (service URL) is not configurable

Added by Hector Akamine about 1 month ago. Updated about 1 month ago.

Status:Code ReviewStart date:06/09/2021
Priority:MediumDue date:
Assignee:Tessa Walsh% Done:

0%

Category:Access Control
Target version:Release 2.7.0
Google Code Legacy ID: Tested version:2.6
Sponsored:Yes Requires documentation:Yes

Description

When using CAS authentication in AtoM, there seems to be an issue when the hostname does not match the host part of the AtoM instance URL, with AtoM generating an incorrect service string (service URL). Ideally we should be able to configure AtoM to set the correct service URL, however this is not currently possible.

History

#1 Updated by Hector Akamine about 1 month ago

When using CAS authentication in AtoM, there seems to be an issue when the hostname does not match the host part of the AtoM instance URL.
For example, in a host where the FQDN is hostname.somesub.somedomain.org, but the running AtoM instance URL is https://atom.othersub.somedomain.org (with a DNS CNAME record mapping atom.othersub.somedomain.org to hostname.somesub.somedomain.org), when we access the AtoM instance CAS authentication URL (https://atom.othersub.somedomain.org/cas/login), we would expect that AtoM generates a redirect to the CAS server with a service string that uses the hostname in the URL, i.e., https://cas.somedomain.org/cas/login?service=https%3A%2F%2Fatom.othersub.somedomain.org%2Fcas%2Flogin
However, AtoM's generated redirect seems to use the host FQDN instead, i.e., https://cas.somedomain.org/cas/login?service=https%3A%2F%2Fhostname.somesub.somedomain.org%2Fcas%2Flogin . This breaks the authentication mechanism.
Ideally we should be able to configure AtoM to set the correct service URL, however this is not currently possible

#3 Updated by Dan Gillean about 1 month ago

  • Category set to Access Control
  • Status changed from New to Code Review
  • Assignee set to Tessa Walsh
  • Target version set to Release 2.7.0
  • Sponsored changed from No to Yes
  • Requires documentation set to Yes
  • Tested version 2.6 added

Also available in: Atom PDF