You are browsing a read-only backup copy of Wikitech. The live site can be found at

CAS-SSO: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
(Add link to source code, clarify intro)
Line 56: Line 56:
== Known issues / FAQ ==
== Known issues / FAQ ==

* We don't implement full Single Sign Out yet, will be handled via
* We don't implement full Single Logout yet, will be handled via

== External link ==
== External link ==

* []
* []

Revision as of 21:49, 11 February 2021

The Wikimedia Developer SSO Portal at is a single sign-on (SSO) infrastructure built on Apereo CAS.

When logging into a CAS-enabled website without an active SSO session you'll be redirected to the CAS login page ( The CAS service collects LDAP group memberships and makes them available to services for making authorisation choices. After authentication the users get redirected to the initiating service.

The authentication happens with your Wikimedia Developer Account name and the respective password. There's also be possibility to add a second factor using U2F, see below how to enable it.

If you select "Remember Me" during, a long term session is initiated. It lasts for seven days (or until you logout via Do only use this when working from a machine only used by yourself. If that's not the case and "Remember Me" is not used, your SSO session will expire after one hour of inactivity.

The current SSO setup is targeted at SRE staff. This is to collect more feedback and address pain points before a wider rollout and also because there might still be disruptive changes which we don't want to impose on less technical users. That's why a number of services with a significant amount of non-SRE users are currently only enabled via a separate Apache site (to not interfere with users authenticating against plain LDAP).

Which services are currently enabled?


The source code is in the operations/software/cas-overlay-template repository.

The service runs mainly on the idp1001 (Eqiad) and idp2001 (Codfw) hosts.

Enabling U2F as a second factor

Apereo CAS supports U2F as a second factor. This is configured on a per-user opt in basis and configured via LDAP. Supported browsers are Chrome/Chromium, Firefox (ESR68 and later, ESR60 had some issues in tests, but it's EOLed anyway now) and Safari (13 and later).

All Yubikeys issued by OIT should be compatible. Onlykeys were also reported to work (

Requesting to enable U2F (if you're not in SRE)

Mid-term, enabling U2F for web SSO will be part of our account management. Until then, please open a task in Phabricator and apply the LDAP-Access-Requests tag. Your SSO account will be U2F-enabled by the SRE person currently on SRE Clinic Duty.

Enabling U2F for an account

To enable U2F as a second factor, run the following on mwmaint1002.eqiad.wmnet:

sudo modify-mfa --enable UID

To disable U2F, use

sudo modify-mfa --disable UID

UID is your shell username here (as that's what identifies your identity on the LDAP level), not the Wikimedia Developer Name). Once it's enabled, the next time you login, your token will be registered (Mid-term we'll have a proper identity management solution which will make registration on the shell obsolete. Note that CAS operates on the readonly LDAP replicas, so it might take up to two minutes minutes until the LDAP change is affective.

Known issues / FAQ

External link