document using CAS as authentication provider

strapi · Sep 26, 2020 · 0fd6caa · 0fd6caa
1 parent ed6f619
commit 0fd6caa
Showing 1 changed file with 55 additions and 0 deletions.
diff --git a/docs/v3.x/plugins/users-permissions.md b/docs/v3.x/plugins/users-permissions.md
@@ -526,6 +526,61 @@ The use of `ngrok` is not needed.
   - **The redirect URL to your front-end app**: `http://localhost:3000/connect/linkedin/redirect`
 
 :::
+::: tab CAS
+
+#### Using ngrok
+
+A remote CAS server can be configured to accept `localhost` urls or you can run your own CAS server locally that accepts them.<br>
+The use of `ngrok` is not needed.
+
+#### CAS configuration
+
+- [CAS](https://github.com/apereo/cas) is an SSO server that supports many different methods of verifying a users identity,
+  retrieving attributes out the user and communicating that information to applications via protocols such as SAML, OIDC, and the CAS protocol. Strapi can use a CAS server for authentication if CAS is deployed with support for OIDC.
+- [CAS](https://github.com/apereo/cas) could already be used by your company or organization or you can setup a local CAS server using the [CAS Overlay](https://github.com/apereo/cas-overlay-template)
+- The CAS server must be configured so it can act as an [OpenID Connect Provider](https://apereo.github.io/cas/6.2.x/installation/OIDC-Authentication.html)
+- CAS version 6.2.x is known to work with Strapi.
+- Define a CAS OIDC service for Strapi and store it in whichever CAS service registry is being used.
+- The CAS service definition might look something like this for a local strapi deployment:
+
+```json
+{
+  "@class": "org.apereo.cas.services.OidcRegisteredService",
+  "clientId": "thestrapiclientid",
+  "clientSecret": "thestrapiclientsecret",
+  "bypassApprovalPrompt": true,
+  "serviceId": "^http(|s)://localhost:1337/connect/cas/.*",
+  "name": "Local Strapi",
+  "id": 20201103,
+  "evaluationOrder": 50,
+  "attributeReleasePolicy": {
+    "@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
+    "allowedAttributes": {
+      "@class": "java.util.TreeMap",
+      "strapiemail": "groovy { return attributes['email'].get(0) }",
+      "uid": "groovy { return attributes['username'].get(0) }"
+    }
+  }
+}
+```
+
+#### Strapi configuration
+
+- Visit the User Permissions provider settings page <br> [http://localhost:1337/admin/plugins/users-permissions/providers](http://localhost:1337/admin/plugins/users-permissions/providers)
+- Click on the **Cas** provider
+- Fill the information:
+  - **Enable**: `ON`
+  - **Client ID**: thestrapiclientid
+  - **Client Secret**: thestrapiclientsecret
+  - **The redirect URL to your front-end app**: `http://localhost:1337/connect/cas/redirect`
+  - **The Provider Subdomain such that the following URLs are correct for the CAS deployment you are targeting:**
+  ```
+    authorize_url: https://[subdomain]/oidc/authorize
+    access_url: https://[subdomain]/oidc/token
+    profile_url: https://[subdomain]/oidc/profile
+  ```
+  For example, if running CAS locally with a login URL of: `https://localhost:8443/cas/login`, the value for the provider subdomain would be `localhost:8443/cas`
+  :::
 
 ::::