LDAP Group Authentication with CAS

MAPS now supports LDAP group authentication for CAS users. This allows you to add your LDAP groups to MAPS, and have your CAS users authenticate based on membership in these groups.

In order to use this feature, you will need to add the groups attribute to your CAS server, in addition to the CN and DN attributes that are required to access your LDAP server. For assistance with adding attributes, please refer to the CAS documentation. You can also refer to their tutorial on Active Directory authentication with CAS.

MAPS expects an XML response from the server in the following format:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
  <cas:authenticationSuccess>
    <cas:user>MyUser</cas:user>
    <cas:groups>[CN=MyGroup,OU=Groups,DC=Test,DC=Local, CN=MyGroup2,OU=Groups,DC=Test,DC=Local]</cas:groups>
  </cas:authenticationSuccess>
</cas:serviceResponse>

Note: If a user is a member of more than one group, the groups should be separated by a space.

After adding the LDAP group information to your CAS users, the only configuration you need to do in MAPS is to add your LDAP groups and assign appropriate permissions to each group. For users logging in with CAS, MAPS will automatically detect the group membership information from the CAS server and grant them the appropriate permissions for their LDAP group(s).

Note: CAS authentication currently does not work for users who are members of nested LDAP groups.

Troubleshooting Tip: You can look at the debug log in MAPS while attempting to log in through CAS to verify that the response from the CAS server is in the correct format.

Existing LDAP Users Who Have CAS IDs in MAPS

If your institution is already using CAS, you may have some number of LDAP users who have been added to MAPS with their associated CAS IDs. If these users exist in MAPS only for purposes of associating the CAS ID with their username, feel free to remove these users from MAPS once they can authenticate via their group membership.

If you do not wish to remove these users, or if they must be added to MAPS individually due to additional permissions granted on an individual basis, you should continue to enter the CAS Identifier in MAPS for these users. In the event that your institution has more than one LDAP server, this will ensure that only the correct user is given permissions if different users on different LDAP servers happened to share the same LDAP username.