CAS authentication gives user error

Hm, not sure why that would be happening. Are you sure your CAS server details are configured properly?

That error is from WordPress, and it happens when the call to wp_insert_user() on line 618 doesn’t supply a username. The username value is pulled from phpCAS::getUser() on line 987.

I’m seeing the same issue on my setup… and I know that I have the correct CAS info… because if I switch to using a different CAS plugin called “CAS Maestro” with the same CAS details… it works perfectly.

I don’t even seem to be being redirected to the CAS login page. When I click “Sign in with…” button, it doesn’t go anywhere just tells me “Cannot create a user with an empty login name.” I’ve made sure that my CAS session is destroyed… so, it shouldn’t be getting anything from an old session.

What can I do to help debug this?

Hi @aspeagle, can you step through the process in Private/Incognito mode on your web browser? Alternatively, you can also completely clear your cache & cookies.

If possible, can you also get the HTTP Response headers from your CAS Server (scrubbed of identifying data)? And what CAS version is your server running? This information will assist us further troubleshooting.

Thanks!

Sure… I grabbed the headers and sanitized my credentials. I’d rather send these to you directly, if possible.

We’re running CAS 3.5.2 presently. Also, after turning on some PHP debug… I get this at the top of the screen after returning from the CAS login:

Notice: Undefined variable: approved_user in /content/html/semtest/wp-content/plugins/authorizer/authorizer.php on line 685

Again, WP tells me:

Cannot create a user with an empty login name.

Ok, I think I found a bug on a very specific code path (line 685) that’s affecting you. It appears that you’ve got a new user trying to log in via CAS, they are in the approved list, but there is already a user in WordPress with the same username (but a different email address). Does this sound familiar?

I have verified that “Cannot create a user with an empty login name” appears in the specific case where a new approved CAS user tries to log in but a WordPress user already exists with the same username (but different email address).

The fix is below, and will be included in the next release. Thanks for your patience!
https://github.com/uhm-coe/authorizer/commit/4719227d05c99066da287f87aefc7ec4666b6ba5

Well, what’s interesting about that… is that Authorizer is creating users with <username>@<domain> … rather than just <username> … and it appears to be assuming that <username>@<domain> is also the email address… which it isn’t. I can’t imagine that our CAS is actually feeding the email address.

The reason that this was an issue I think is that my CAS user was already in there with real email…

<username> = <realemail>@<domain>

and after patching, Authorizer created:

<username>@<domain> = <username>@<domain>

as the username + email pair … should Authorizer be assuming email address if CAS doesn’t feed that back?

Ah, I see. For Authorizer, the unique key for any user is the email address. Since a WordPress user can reset their password via email, it’s the only safe way to avoid accidentally logging in as the wrong user.

If the user’s email address isn’t provided by CAS, and it’s different than their CAS username, I can’t think of a secure way to associate the email address you enter in the Authorizer approved list with the username provided by CAS. Either the CAS server needs to release the email address as an attribute (most do, as the “mail” attribute), or the CAS username needs to be the same as the email without the @domain portion.

Paul – thank you for all your help. I updated line 685 and it solved the problem for me. Glad to hear it will be in the next official release. ??

Great! Sorry it took so long to find that bug.