The following settings should be adequate for most Georgia Tech developers using Drupal version 9 (or 8).
The CAS configuration page can be found on the black administration toolbar under Configuration -> People -> CAS
Alternatively, you can access the configuration page by adding "/admin/config/people/cas" to the end of your site's front page URL.
Courtesy of Doug Curtis in OIT:
People are receiving a 500 error when using the "GT Logout" link on a Drupal page. It looks like the problem is that the Drupal CAS module is appending the "service=" query string to the end of the CAS logout URL. The GT CAS server will accept "url=" query string but it doesn't accept the "service=" query string. Previously, the CAS service would quietly ignore appended query strings it didn't recognize but that isn't currently the case.
The GT Account Username is the standard computer account for everyone at Georgia Tech. It is used to access a variety of systems including TechWorks, BuzzPort, and Mercury, and can be used to access your Drupal site by installing the CAS module.
You may often find that need to add someone to a group in Mercury or to your Drupal site, and you need to know the person's GT Account Username. Here are several ways that you can look up that information:
CAS is capable of delivering some GTED attributes for the person logging in to Drupal, as part of the login process. This means you don't have to configure and maintain an LDAP module nor manage an LDAP service account (read: no need to keep up with an expiring service account password).
If you are using the CAS module for user authentication, you can require users to be logged in to their GT accounts before they can access specific pages on your Drupal site.
If you are unable to log in with CAS after migrating a site, make sure you copied the .htaccess file in the root of your site (httpdocs on OIT Web Hosting).
Please note that this file may be hidden to some file browsers. If so, configure your file browser to show hidden files.
CAS requires that Clean URLs be enabled. When Clean URLs is enabled, Drupal edits the .htaccess file to properly handle normal-looking URLs.
All Georgia Tech users who have been enabled for two factor authentication (2FA) are required to log into CAS with their two-factor token via the Duo 2FA service. As of summer 2017, this includes virtually all campus employees, and will soon include all students.
So, long story short, there is no reason to add your own two-factor authentication to your Drupal websites - you would, in effect, just be creating three-factor authentication, which would likely create more headaches than benefits.
While the phpCAS library is pretty stable, its maintainers do still release updates periodically, and every now and then one of those updates is to fix a security issue. Below are step-by-step instructions for how to update your phpCAS library to the most current, secure version.
For this example, we will update from version 1.3.2 to version 1.3.3, but the same steps should apply to updating between any versions of the phpCAS library (which allows logins with GTaccounts to our drupal sites).
Central Authentication Service (CAS) based single sign-on is the main method of doing authentication via GT Account Usernames for Drupal website logins. Once users have logged into the GT CAS system, the can access any Georgia Tech website that utilizes CAS without having to enter their GT Account Username again, as long as they don't completely close their browser or clear their browser's cookie cache.
There is a public-facing LDAP server from which you can pull general directory information from without authentication. This server is only accessible from servers and workstations located on one of the Georgia Tech campus subnets.
Use the default settings, unless otherwise stated beow:
