Authentication

Cascade CMS can authenticate users natively, through an external LDAP server, or via custom authentication.

Overview

Cascade CMS is equipped to handle three types of user authentication: 

  • Normal authentication (default) - Default mode where authentication is handled natively by Cascade CMS.
  • LDAP authentication - Cascade CMS delegates authentication to an external LDAP server (e.g. Active Directory, OpenLDAP).
  • Custom authentication - Cascade CMS provides an authentication API to allow developers to hook into third-party authentication/single sign-on systems (e.g. Kerberos, Shibboleth, CAS).

Normal Authentication

With normal authentication, users enter the usernames and passwords on the login screen and Cascade CMS authenticates them against their encrypted credentials stored in the database.

User accounts must be created for each user before they can access the system. This is accomplished manually in the Administration menu or can be done programmatically via the Web Services API.

It is also possible to import users' usernames, emails, full names, and group/role memberships from an LDAP server but use Cascade CMS's built-in facilities to authenticate the users.

LDAP Authentication

Users can also be set to authenticate against an existing LDAP server like Active Directory or Open LDAP. Using LDAP allows users and passwords to be centrally managed and then synced to Cascade CMS.

The system still requires users records in the database for each user so that their preferences, group, and role memberships can be maintained. However, only the DN (Distinguished Name) of the user and not the password are stored in the database.

When the user attempts to login, the supplied username is used to retrieve the DN of the user. Then the system attempts to bind to the LDAP server using the DN and the supplied password. The user is authenticated if the bind is successful.

Custom Authentication

Cascade exposes an authentication API to allow developers to hook into third-party authentication and single sign-on (SSO) frameworks. Developers can choose to redirect the browser to custom login and logout screens and implement custom logic to supply the name of the user for Cascade CMS to authenticate and logic to log the user out.

In addition, users can be redirected to a custom error screen if authentication fails. An auth-error parameter will be appended to the forwarding URL with the reason for the error, such as if the user doesn't exist or is not enabled in Cascade CMS.

Please visit our custom authentication API project on github to learn more about developing authentication modules. Also check out our examples project to see working implementations of custom authentication using various technologies including CAS and Shibboleth.