Mingle CAS Authentication
This authentication plugin supports the JA-SIG Central Authentication Service.
- Before you can use Mingle CAS authentication, you must first complete the standard Mingle installation and configuration. Make sure that you setup a user with both full Mingle administrative privileges and a login that is also contained in your CAS System.
- Stop Mingle server.
Edit mingle_data_directory/config/auth_config.yml to contain your configuration:
Please for all options include the slash in cas_uri
Notice the first line of each configuration above, as of 2.0.1 it is now necessary to explicitly state an authentication of type 'cas' in order to use the CAS authentication plugin.
If you have enabled basic authentication, you will not be able to use the CAS plugin for basic authentication, so you will need to specify either 'ldap' or 'mingle' authentication:
- Start Mingle server.
- Go to any Mingle page and you should be redirected to your CAS login page. After entering you username and CAS password, you will be redirected to Mingle and will be logged in as the user you setup in Step 1. This user will still have full Mingle admin privileges. This user can make future Mingle users Mingle admins if you wish to grant others that privilege.
Any users enrolled in your CAS system can now login to Mingle. When they login to Mingle, a Mingle account will be automatically created if it does not already exist. Once a user has logged in for the first time s/he can be granted access to projects.
If the maximum number of Mingle users has been added to the Mingle instance, Mingle will not create accounts for new users logging in via CAS. These users will be informed that the instance has reached the maximum number of users. When the maximum number of users is increased or existing users are deleted or deactivated, Mingle will automatically create accounts for new users again.
If your CAS server use secure connection (i.e., HTTPS) with a certification signed by a commercial signer, use the following configuration:
authentication: cas cas_settings: cas_host: cas.example.com cas_uri: /cas cas_port: 443Option Two:
If your CAS Server use secure connection (i.e., HTTPS) with a self-signed certification, use the following configuration:
authentication: cas cas_settings: cas_host: cas.example.com cas_uri: /cas cas_port: 443 cas_root_cert_path: /etc/pki/cacert/cacert.pemOption Three:
If your CAS Server use secure connection (i.e., HTTPS), but you do not care to validate the certification, use the following configuration:
authentication: cas cas_settings: cas_host: cas.example.com cas_uri: /cas cas_port: 443 cas_trust_all_certs: trueOption Four:
If your CAS server is using a self-signed certificate, you can import your CAS server's certificate and/or your CA Root certificate into your Java keystore:
keytool -import -trustcacerts -alias "My Root Certificate" -file cacert.crt -keystore /usr/java/default/jre/lib/security/cacerts
Please check where is your Java keystore located. In the example above, the Java keystore is under /usr/java/default/jre/lib/security/cacerts
You can then use the same settings as option one above:
authentication: cas cas_settings: cas_host: cas.example.com cas_uri: /cas cas_port: 443
basic_authentication_enabled: true basic_authentication: ldap authentication: cas cas_settings: cas_host: ... ... ldap_settings: ldapserver: ... ...
Should you ever wish to turn off CAS authentication, simply change the values of 'authentication' and 'basic_authentication' in the config/auth_config.yml file to the type of authentication you wish to switch to, either 'ldap' or 'mingle'. After restarting the Mingle server, users will then be able to use the Mingle password recovery feature in order to set a Mingle password.
If you are going to turn off CAS authentication, be absolutely sure that you configure Mingle SMTP successfully before turning off CAS authentication. This will ensure that the password recovery feature is available, allowing users to continue to use Mingle with Mingle's built-in authentication mechanism.