I've had both CAS and LDAP enabled concurrently during our transition from LDAP to CAS.

You'll need to update your user.txt, login.htm, and loginbu.htm files.

The user.txt syntax needs you to specify the "auth=" parameter like this:
::auth=cas,CAS
LoginURL foo
ServiceValidateURL bar
IfUnauthenticated; Stop
<anything else you might need>
/CAS

::auth=ldap,LDAP
BindUser (if needed)
BindPassword (if needed)
URL foo
IfUnauthenticated; Stop
<anything else you might need>
/LDAP

For login.htm, you'll need to specify "auth=" in the LDAP post URL:
<form action="/login?auth=ldap&url=^V" method="post">

To use CAS in the login.htm, all you need is a link.
<a href="/login?auth=cas&url=^V">Sign in with CAS</a>

In our case, clicking the link brings the user to the CAS login page and then redirected to their proxied resource once signed in. If the user was already signed into CAS, they wound't be asked to login again but logged into ezproxy using the existing CAS ticket cookie and redirected to their proxied resource. In YOUR case, depending on your app, hopefully clicking such a link would immediately log them into CAS if they're already authenticated in the app.

The interesting thing about CAS, is that you could completely bypass the EZproxy login page if desired. You'd just need to specify "auth=cas" within any URL link to a proxied resource, e.g. http://proxy.yourlib.edu/login?auth=cas&url=http://www.oxfordreference.com

Another tip I'd like to share is using LDAP or CAS for admin authentication instead of shared EZproxy admin login credentials. Within the CAS or LDAP user.txt entry, below IfUnauthenticated; Stop, you would add:
IfUser <username>; Admin



Brian Peterson
Unix Administrator
Milner Library, Illinois State University

-----Original Message-----
From: Deborah Gaskell [mailto:***@canberra.edu.au]
Sent: Wednesday, October 08, 2014 12:14 AM
To: EZProxy discussion list
Subject: [ezproxy] User authentication combination

Hello all,

My Library has been happily using EZproxy with LDAP authentication for a number of years, but we have just been asked to fit in with a new mobile App which uses single sign on as one of its selling points.

As a result we have been asked if our EZproxy server can be configured to invisibly log people in using CAS from the app.

I understand EZProxy can use CAS and we could just move from LDAP to CAS but we have previously resisted single sign on authentication as our students do not currently have to be signed into anything to search for resources. So it seemed silly to ask them to sign in until they needed to in order to access a resource.

Does anyone know if EZproxy can be configured to use both CAS and LDAP?

We do not currently use groups, although we may wish to in future, so it should be a fairly straightforward authentication issue. Looking at CAS first then, if the user is not signed in, moving to LDAP. But I am unsure what extra code might be needed in user.txt or what 2 authentication systems would do to platforms like EBL which store tokens regarding loans and so forth on the server. We are running EZproxy 5.7.32.

Any help or suggestions would be greatly appreciated,

Deborah Gaskell
Eaccess Co-ordinator
University of Canberra Library, Australia.






---
You are currently subscribed to ezproxy as: ***@ilstu.edu<mailto:***@ilstu.edu>.
To unsubscribe, send request to ***@itec.suny.edu<mailto:***@itec.suny.edu>


---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

I forgot to include a link the user authentication documentation on oclc.org: http://www.oclc.org/support/services/ezproxy/documentation/usr.en.html

Multiple Authentication Servers:
http://www.oclc.org/support/services/ezproxy/documentation/usr/multiple.en.html


Brian Peterson
Unix Administrator
Milner Library, Illinois State University

From: Peterson, Brian K.
Sent: Wednesday, October 08, 2014 10:18 AM
To: EZProxy discussion list
Subject: RE: [ezproxy] User authentication combination

I've had both CAS and LDAP enabled concurrently during our transition from LDAP to CAS.

You'll need to update your user.txt, login.htm, and loginbu.htm files.

The user.txt syntax needs you to specify the "auth=" parameter like this:
::auth=cas,CAS
LoginURL foo
ServiceValidateURL bar
IfUnauthenticated; Stop
<anything else you might need>
/CAS

::auth=ldap,LDAP
BindUser (if needed)
BindPassword (if needed)
URL foo
IfUnauthenticated; Stop
<anything else you might need>
/LDAP

For login.htm, you'll need to specify "auth=" in the LDAP post URL:
<form action="/login?auth=ldap&url=^V" method="post">

To use CAS in the login.htm, all you need is a link.
<a href="/login?auth=cas&url=^V">Sign in with CAS</a>

In our case, clicking the link brings the user to the CAS login page and then redirected to their proxied resource once signed in. If the user was already signed into CAS, they wound't be asked to login again but logged into ezproxy using the existing CAS ticket cookie and redirected to their proxied resource. In YOUR case, depending on your app, hopefully clicking such a link would immediately log them into CAS if they're already authenticated in the app.

The interesting thing about CAS, is that you could completely bypass the EZproxy login page if desired. You'd just need to specify "auth=cas" within any URL link to a proxied resource, e.g. http://proxy.yourlib.edu/login?auth=cas&url=http://www.oxfordreference.com

Another tip I'd like to share is using LDAP or CAS for admin authentication instead of shared EZproxy admin login credentials. Within the CAS or LDAP user.txt entry, below IfUnauthenticated; Stop, you would add:
IfUser <username>; Admin



Brian Peterson
Unix Administrator
Milner Library, Illinois State University

-----Original Message-----
From: Deborah Gaskell [mailto:***@canberra.edu.au]
Sent: Wednesday, October 08, 2014 12:14 AM
To: EZProxy discussion list
Subject: [ezproxy] User authentication combination

Hello all,

My Library has been happily using EZproxy with LDAP authentication for a number of years, but we have just been asked to fit in with a new mobile App which uses single sign on as one of its selling points.

As a result we have been asked if our EZproxy server can be configured to invisibly log people in using CAS from the app.

I understand EZProxy can use CAS and we could just move from LDAP to CAS but we have previously resisted single sign on authentication as our students do not currently have to be signed into anything to search for resources. So it seemed silly to ask them to sign in until they needed to in order to access a resource.

Does anyone know if EZproxy can be configured to use both CAS and LDAP?

We do not currently use groups, although we may wish to in future, so it should be a fairly straightforward authentication issue. Looking at CAS first then, if the user is not signed in, moving to LDAP. But I am unsure what extra code might be needed in user.txt or what 2 authentication systems would do to platforms like EBL which store tokens regarding loans and so forth on the server. We are running EZproxy 5.7.32.

Any help or suggestions would be greatly appreciated,

Deborah Gaskell
Eaccess Co-ordinator
University of Canberra Library, Australia.






---
You are currently subscribed to ezproxy as: ***@ilstu.edu<mailto:***@ilstu.edu>.
To unsubscribe, send request to ***@itec.suny.edu<mailto:***@itec.suny.edu>


You are currently subscribed to ezproxy as: ***@ilstu.edu<mailto:***@ilstu.edu>.
To unsubscribe, send request to ***@itec.suny.edu<mailto:***@itec.suny.edu>

---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu