Feature: enable single sign-on using Central Authorization Service (CAS) protocol

[peterVG]

Please describe the problem you'd like to be solved
Archivematica users are not able to implement single sign-on service using the CAS protocol.

Describe the solution you'd like to see implemented

Feature: CAS single sign-on
Scenario: A user is authenticated through a Central Authentication Service (CAS) single sign-on form and is automatically logged in to an Archivematica session.
Given: The institution hosting Archivematica is running a CAS server.
And: The user has an active CAS account.
And: The user account is present in the Archivematica group member list on the CAS server.
When: The user starts a new session on the institution's domain and navigates to the Archivematica homepage.
Then: The unauthenticated user is redirected to the CAS login form where they enter their CAS username and password.
And: The CAS server successfully authenticates the user, assigns them a session service ticket, and redirects them to the Archivematica server.
And: Archivematica sends the service ticket to the CAS server over HTTPS for validation.
And: The CAS server sends a success response to Archivematica which includes the user attributes set on the CAS server.
And: Archivematica creates a new user account if one matching the CAS account doesn’t already exist.
And: Archivematica sets the user session cookie (with the service ticket stripped off) and redirects the user to a new, authenticated Archivematica session.
And: Archivematica checks its configuration file to see if there are expected CAS attributes for user groups. If so, Archivematica checks whether the user has the appropriate attribute for the Admin group and, if so, elevates their user authorization to admin.
And: If enabled in the Archivematica configuration file, the user's CAS account name will be used as a prefix in combination with the institution's domain name as a suffix to auto-generate an email address for the Archivematica user account, if one does not already exist. This account will be subscribed to Archivematica email notifications.
And: When the user logs out of Archivematica, they are also logged out of the Central Authentication Service.

Additional context
CAS support will be implemented within Archivematica using the django-cas-ng library (https://djangocas.dev/) and extend existing patterns for authentication via Shibboleth and LDAP in Archivematica.

---

For Artefactual use:

Before you close this issue, you must check off the following:

• All pull requests related to this issue are properly linked
• All pull requests related to this issue have been merged
• A testing plan for this issue has been implemented and passed (testing plan information should be included in the issue body or comments)
• Documentation regarding this issue has been written and merged
• Details about this issue have been added to the release notes

[tw4l]

Assigned to @Jennoit for internal QA

[tw4l]

@scollazo There are some support/deployment-related considerations with django-cas-ng related to the database tables that we may want to take into account for Archivematica deployments that use CAS authentication.

"Run ./manage.py syncdb (or ./manage.py migrate for Django 1.7+) to create Single Sign On and Proxy Granting Ticket tables. On update you can just delete the django_cas_ng_sessionticket table and the django_cas_ng_proxygrantingticket before calling ./manage.py syncdb.

Consider running the command ./manage.py django_cas_ng_clean_sessions on a regular basis right after the command ./manage.py clearsessions cf clearsessions. It could be a good idea to put it in the crontab."

(Source: https://djangocas.dev/docs/latest/configuration.html#database)

[Jennoit]

This feature has been successfully tested using SFU sponsored accounts (one administrator and one not an administrator) in both the Archivematica and Storage Service QA instances. The feature works as described and in testing:

• accessing the application redirects to the SFU CAS login page
• log in works
• each user profile is visible and each profile has the correct email address associated with it and the correct administrator status
• log out works

[peterVG]

Docs added in artefactual/archivematica-docs#382

[sromkey]

QA'd in client environment.