You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
CAS-SSO/Administration
< CAS-SSO
Jump to navigation
Jump to search
Revision as of 14:22, 30 March 2020 by imported>Muehlenhoff (API endpoints)
Stub page with information on how to debug/handle Apereo CAS as deployed by the Wikimedia Foundation.
Icinga
$vhost requires authentication
This icinga check is in place to ensure protected sites correctly redirect and unauthenticated connection back to https://idp.wikimedia.org. You can run the check manually from icinga with the following command. (use the -v switch to increase verbosity)
icinga1001 ~ $ # test cas-icinga.wikimedia.org
icinga1001 ~ $ IP=208.80.154.84
icinga1001 ~ $ VHOST=cas-icinga.wikimedia.org
icinga1001 ~ $ URI=/icinga
208 ~ % /usr/lib/nagios/plugins/check_http -I ${IP} -H ${VHOST} -e 'HTTP/1.1 302' -d 'ocation: https://idp.wikimedia.org/login' -S -u ${URI}
HTTP OK: Status line output matched "HTTP/1.1 302" - 604 bytes in 0.005 second response time |time=0.004526s;;;0.000000;10.000000 size=604B;;;0
common things to check
- the
-u
switch points to the correct protected uri - The check is hitting the correct vhost
- mod_auth_cas is correctly installed and configured
To debug mode_auth_cas update the vhost to have Loglevel debug
& CASDebug On
API endpoints
The ssoSessions endpoint exports a JSON description of current sessions, restricted to access from the IDP hosts (currently disabled):
curl https://idp.wikimedia.org/api/ssoSessions?type=ALL