None of these settings are required and have sane defaults, but may be used to customize behavior and improve security. Note that some of these settings alter stock CAS behavior.


If set, allows the user to control transparency of the single sign-on process. When enabled, an additional checkbox will be displayed on the login form.


If single sign-out is enabled and gevent is installed, this setting limits the concurrency of requests sent for a logout event. If the number of requests reaches this limit, additional requests block until there is room. Setting this value to zero disables this limiting.


A tuple of dotted paths to callables that each provide a dictionary of name and attribute values. These values are merged together and included with a service or proxy validation success. Each callable is provided the authenticated User and the service URL as arguments. For example:

# In

# In a convenient location
def custom_attributes(user, service):
    return {'givenName': user.first_name, 'email':}

Two callbacks are provided to cover basic use cases and serve as examples for custom callbacks:

Returns available name related fields using get_username(), get_full_name() and get_short_name().
Returns all fields on the user object, except for id and password.

If set, causes single sign-out requests to be sent to all accessed services when a user logs out. It is up to each service to handle these requests and terminate the session appropriately.


By default, the single sign-out requests are sent synchronously. If gevent is installed, they are sent asynchronously.


Controls the client redirection behavior at logout when the url (CAS 2.0) or service (CAS 3.0) parameter is provided. When this setting is True and one of these parameters is present, the client will be redirected to the specified URL. When this setting is False, the client will be redirected to the login page. When url is present, the login page will then display the provided URL as a recommended link to follow.

If neither parameter is specified or is not a valid service URL, the client will be redirected to the login page.


Controls the length of time, in seconds, between when a service or proxy ticket is generated and when it expires. If the ticket is not validated before this time has elapsed, it will become invalid. This does not affect proxy-granting ticket expiration or the duration of a user’s single sign-on session.


Sets the number of random characters created as part of the ticket string. It should be long enough that the ticket string cannot be brute forced within a reasonable amount of time. Longer values are more secure, but could cause compatibility problems with some clients.


A list of valid Python regular expressions that a service URL is tested against when a ticket is validated or the client is redirected. If none of the regular expressions match the provided URL, the action fails. If no valid services are configured, any service URL is allowed. For example:


The url and service parameters are checked against this list of services at logout. If the provided URL does not match one of these regular expressions, it is ignored.