Settings

None of these settings are required and have sane defaults, but may be used to customize behavior and improve security.

django.conf.settings.MAMA_CAS_ALLOW_AUTH_WARN
Default:False

If set, allows the user to control transparency of the single sign-on process. When enabled, an additional checkbox will be displayed on the login form.

django.conf.settings.MAMA_CAS_ATTRIBUTE_CALLBACKS
Default:()

A tuple of dotted paths to callables that each provide a dictionary of name and attribute values. These values are merged together and included with a service or proxy validation success. Each callable is provided the authenticated User and the service URL as arguments. For example:

# In settings.py
MAMA_CAS_ATTRIBUTE_CALLBACKS = ('path.to.custom_attributes',)

# In a convenient location
def custom_attributes(user, service):
    return {'givenName': user.first_name, 'email': user.email}

Two callbacks are provided to cover basic use cases and serve as examples for custom callbacks:

mama_cas.callbacks.user_name_attributes
Returns name-related fields using get_username(), get_full_name() and get_short_name().
mama_cas.callbacks.user_model_attributes
Returns all fields on the user object, except for id and password.

Warning

This setting has been deprecated in favor of per-service configuration with MAMA_CAS_SERVICES.

django.conf.settings.MAMA_CAS_ENABLE_SINGLE_SIGN_OUT
Default:False

If set, causes single logout requests to be sent to all accessed services when a user logs out. It is up to each service to handle these requests and terminate the session appropriately.

Note

By default, the single logout requests are sent synchronously. If requests-futures is installed, they are sent asynchronously.

Warning

This setting has been deprecated in favor of per-service configuration with MAMA_CAS_SERVICES.

django.conf.settings.MAMA_CAS_FOLLOW_LOGOUT_URL
Default:True

Controls the client redirection behavior at logout when the service parameter is provided. When this setting is True and the parameter is present, the client will be redirected to the specified URL. When this setting is False or the parameter is not provided, the client is redirected to the login page.

django.conf.settings.MAMA_CAS_SERVICE_BACKENDS
Default:['mama_cas.services.backends.SettingsBackend']

A list of paths to service backends.

django.conf.settings.MAMA_CAS_SERVICES
Default:[]

A list containing all allowed services for the server. Each list item is a dictionary containing the configuration for each service. For example:

MAMA_CAS_SERVICES = [
    {
        'SERVICE': '^https://[^\.]+\.example\.com',
        'CALLBACKS': [
            'mama_cas.callbacks.user_name_attributes',
        ],
        'LOGOUT_ALLOW': True,
        'LOGOUT_URL': 'https://www.example.com/logout',
        'PROXY_ALLOW': True,
        'PROXY_PATTERN': '^https://proxy\.example\.com',
    }
]

The following configuration options are available for each service:

SERVICE

A Python regular expression that is tested against to match a given service identifier. This option is required.

CALLBACKS

A list of dotted paths to callables that each provide a dictionary of name and attribute values. These values are merged together and included with a service or proxy validation success. Each callable is provided the authenticated User and the service URL as arguments. Defaults to [].

Two callbacks are provided to cover basic use cases and serve as examples for custom callbacks:

mama_cas.callbacks.user_name_attributes
Returns name-related fields using get_username(), get_full_name() and get_short_name().
mama_cas.callbacks.user_model_attributes
Returns all fields on the user object, except for id and password.

LOGOUT_ALLOW

A boolean setting to determine whether single log-out requests are sent for this service. Defaults to False.

LOGOUT_URL

A URL that will be used for a single log-out request for the service. If not specified, the service URL will be used instead. Defaults to ''.

PROXY_ALLOW

A boolean setting to determine whether proxy requests are allowed for this service. Defaults to True.

PROXY_PATTERN

A Python regular expression that is tested against to determine if the provided pgtUrl is allowed to make proxy requests. Defaults to ''.

django.conf.settings.MAMA_CAS_TICKET_EXPIRE
Default:90

Controls the length of time, in seconds, between when a service or proxy ticket is generated and when it expires. If the ticket is not validated before this time has elapsed, it becomes invalid. This does not affect proxy-granting ticket expiration or the duration of a user’s single sign-on session.

django.conf.settings.MAMA_CAS_TICKET_RAND_LEN
Default:32

Sets the number of random characters created as part of the ticket string. It should be long enough that the ticket string cannot be brute forced within a reasonable amount of time. Longer values are more secure, but could cause compatibility problems with some clients.

django.conf.settings.MAMA_CAS_VALID_SERVICES
Default:()

A list of valid Python regular expressions that a service URL is tested against when a ticket is validated or the client is redirected. If none of the regular expressions match the provided URL, the action fails. If no valid services are configured, any service URL is allowed. For example:

MAMA_CAS_VALID_SERVICES = (
    '^https?://www\.example\.edu/secure',
    '^https://[^\.]+\.example\.com',
)

Warning

This setting has been deprecated in favor of MAMA_CAS_SERVICES.

django.conf.settings.MAMA_CAS_LOGIN_TEMPLATE
Default:'mama_cas/login.html'

A path to the login template to use. Make sure Django can find this template using normal Django template discovery rules.

django.conf.settings.MAMA_CAS_WARN_TEMPLATE
Default:'mama_cas/warn.html'

A path to the warning template to use. Make sure Django can find this template using normal Django template discovery rules.