This plugins adds CAS authentication support for Redmine thanks to the OmniAuth authentication framework. OmniAuth is a Rack middleware that let you authenticate against many sources (see the list of supported sources). This plugin aims at being an example of integration for the CAS protocol, but it shouldn’t be that difficult to build a plugin that allows authentication against other sources.
NB: the plugin doesn’t support on-the-fly registration for now.
You can first take a look at general instructions for plugins here.
Note that the plugin is now only compatible with Redmine 2.0.0 or higher. Compatibility with Redmine 1.x has been removed in August, 2012.
Then :
- clone this repository in your plugins/ directory ; if you have a doubt you put it at the good level, you can go to your redmine root directoryand check you have a
plugins/redmine_omniauth_cas/init.rbfile - install the dependencies with bundler :
bundle install - run the migrations from your redmine root directory with command :
RAILS_ENV=production rake redmine:plugins - restart your Redmine instance (depends on how you host it)
Finally you can configure your CAS server URL directly in your redmine instance, in “Administration” > “Plugins” > “Configure” on the OmniAuth CAS plugin line.
Here are some ideas that could be implemented in future releases. I’m really open to suggestions on this plugin, so don’t hesitate to fill an issue directly on GitHub :
- implement ticket validation when first opening your browser (for now you’ll be considered as logged out if your session has expired on Redmine but your ticket is still valid on the CAS server)
- add a plugin option to hide ‘normal’ login/password form
- authorize on-the-fly registration
- authorize non-conventional CAS URLs (for now you can just specify the base CAS url, and login, logout, validate, etc. URLs are deduced)
From a functionality point of view, Redmine’s AuthSource system is useful for 2 things :
- you want to be able to define multiple occurrences of the same authentication source => not possible afaik with OmniAuth CAS strategy
- you want to restrict users to a certain auth source => not so interesting if the login is filled in an external form
Actually, OpenID authentication in core is not an AuthSource neither.
There are some limitations with the current implementation of OmniAuth CAS strategy. To be clear, it doesn’t support dynamic parameters very well, and forces to have a default :cas_server or :cas_login_url defined in the initialization process. I hope I’ll have the time to propose a fix or develop my own CAS strategy soon.
If you like this plugin, it’s a good idea to contribute :
- by giving feed back on what is cool, what should be improved
- by reporting bugs : you can open issues directly on github for the moment
- by forking it and sending pull request if you have a patch or a feature you want to implement