From Wikipedia:

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to log into multiple applications simultaneously and automatically. It also allows untrusted web applications to authenticate users without gaining access to a user’s security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

wpCAS integrates WordPress or WordPressMU into an established CAS architecture, allowing centralized management and athentication of user credentials in a heterogeneous environment. Authorization of that user’s capabilities is based on native WordPress settings and functions. CAS only authenticates that the user is who s/he claims to be.

Read more, including installation instructions, in the WordPress Plugins Directory.

What happens when users attempt to login?

Users who attempt to login to WordPress are redirected to the central CAS sign-on screen. After the user’s credentials are verified, s/he is then redirected back to the WordPress site. If the CAS username matches the WordPress username, the user is recognized as valid and allowed access.

If the CAS user does not have an account in the WordPress site, an administrator defined function can be called to provision the account or do other actions. By default, CAS users without WordPress accounts are simply refused access.

Can this plugin provision users in WordPress who are authenticated via CAS?

wpCAS makes allows you to call a function to do that, but each environment is different; each environment probably needs its own solution for this. I’ll post the script I use for that soon.

Download & installation

The plugin is hosted in the WordPress Plugins Directory. Look there for download and installation instructions.

Hey, isn’t that…?

This plugin is based in huge part on Stephen Schwink‘s CAS Authentication plugin and would be a lot different if I couldn’t lean on Stephen’s excellent work. My primary reasons for branching (under the the terms of the GPL) were that I wanted it to work better with WPMU. And, I needed an easier way to hook-in functions to provision users and wanted to do that while also making it easy to upgrade using SVN (thus the config file).

53 Responses to “wpCAS”

  1. Hi Casey – great work on the plugin, got it working first time on a standalone WP installation and looking at implementing it across our some of our WMPU setup, but need to work a bit on managing users. Have you got any examples of provisioning for new users (ie creating a new user in WP if they are authenticated on CAS) or maybe translating some authenticated users to a generic user (one already set up on WP?)

  2. @Paul H:

    Your comment kicked me into gear and I just added an example that’s basically what I use. It’s now included with the download and SVN, you can browse it on Trac here:


    Glad you find it useful.

  3. Hi Casey, great work.
    Let me suggest a little improvment. I’ve found that the “redirect” works better if you modify wpcas.php as follow:

    if ( $user = get_userdatabylogin( phpCAS::getUser())){ // user already exists
    // the CAS user has a WP account
    wp_set_auth_cookie( $user->ID );
    // Standard redirect
    if( isset( $_REQUEST['redirect_to'] )) {
    wp_safe_redirect( $_REQUEST['redirect_to'] );
    // Default redirect to the admin home page
    //wp_safe_redirect( admin_url() );
    wp_safe_redirect( ‘/wp-admin/’ );

    I hope this helps,

  4. Hi Man,

    Can we install multiblogs with your: wpCAS plugin ?

    With regards,


  5. @Alex: It’s compatible with WordPress MU. Does that help?

  6. Hi,
    Thx for the plugin. I’ve a question :
    whith CAS what is the best solution to transform the admin in a CAS user.
    I’ve try to change the name in the database but it’s not sufficient, i must put my login in the function wpmu-functions.php like this : if ($user_login === ‘me’) {return true;} (from : http://www.andrejciho.com/wordpress-mu/wpmu-cas-integration/ )
    Thank you

    • @balecan:
      My suggestion is to turn one (or more) of your CAS users into an admin. In WPMU that means going to your WPMU Site Options (site.net/wp-admin/wpmu-options.php) and entering in the user name in the Site Admins field.

  7. I’ve come across a little issue when using the wpcas-conf.php file with WordPressMU:

    1) wp-settings.php loads the modules from wp-content/mu-plugins/ using opendir() and readdir(), not necessarily in alphabetical order (not sure what it goes by). There’s no guarantee that the wpcas-conf.php file is read before or after the wpcas.php file. In our case it does read it prior to the wpcas.php file with an “include_once”.

    2) Then the wpcas.php file tries to include the wpcas-conf.php file again with a simple “include”. This crashed the execution of wpcas.php without further notice in PHP 5.2.6.

    I’ve changed the “include” to “include_once” in wpcas.php and it works fine now.

  8. With 1.04 and 1.05, we have found that users cannot alter their own profiles, at least with WP 2.7. It turns out that user-edit.php clears out the value of pass1 when the document finishes loading so users get presented with these when they submit their changes:
    ERROR: You entered your new password only once.
    ERROR: Please enter the same password in the two password fields.

    I’ve had more luck not even having show_password_fields() put in pass1 and pass2 input fields, and generating a random password with the check_passwords() hook.

  9. Spoke too soon, my old way doesn’t compensate for the clearing. Do you have any suggestions?

  10. @Ben:
    Yeah, I created that bug while trying to fix another[1]. I’ll see what I can do.

    [1:] http://plugins.trac.wordpress.org/changeset/80423/wpcas/trunk/wpcas.php

  11. HI Mr Bisson,

    thank you for the wpcas great plugin, i’ve a question:
    i am implementing your plugin with my wpmu and cas server, but the problem is when a search engine(google) search the content of my site it did not show, i cannot verify the google webmaster with them and they said it because my wpmu blog are redirecting to cas server and go back to the blog and the blog header always redirect to cas server header you can look it here http://web-sniffer.net/?url=http%3A%2F%2Fblog.binusian.org&submit=Submit&http=1.1&type=GET&uak=0, here is the forum http://www.google.com/support/forum/p/Webmasters/thread?tid=19df421f463b942a&hl=en -> Question: verification failed on wpmu . Does your plugin always redirect to the cas server even the user did not login ? or i have to custom the wpcas like http://www.andrejciho.com/wordpress-mu/wpmu-cas-integration/#before



  12. hi ,

    i think i have fixed the problem, before i use wpcas plugin 1.03 and i changes it to 1.05 , copy the CAS.php and CAS folder that consist of client.php, domxml-php4-php5.php , languages and PGTStorage to/wp-content/mu-plugins/wpcas but i got this error when i tried to login to wp-login
    wpCAS plugin not configured
    then i comment wpcas.php line 57 -> /*$wpcas_options['server_path'] == ” ||*/
    and i manage to login and googlebot manage to crawling the website http://web-sniffer.net/?url=http%3A%2F%2Fblog.binusian.org&submit=Submit&http=1.1&type=GET&uak=0. Thank you,



  13. adityo, I had the same problem turns out I didn’t have pear:DB installed.

    Now I am getting the following error:

    [Thu Apr 09 08:02:34 2009] [error] [client] PHP Warning: DOMDocument::loadXML(): Empty string supplied as input in /opt/blogs/wordpress-mu/wp-content/plugins/wpcas/domxml-php4-php5.php on line 42

    I have verified that I have a valid CAS ticket.
    The function on line 42 is domxml_open_mem($str) and only places this function is called:

    client.php: if ( !($dom = domxml_open_mem($text_response))) {
    client.php: phpCAS::trace(‘domxml_open_mem() failed’);
    client.php: if ( !($dom = @domxml_open_mem($cas_response))) {
    client.php: phpCAS::trace(‘domxml_open_mem() failed’);
    client.php: if ( !($dom = domxml_open_mem($text_response))) {


  14. I figured out the problem. After sniffing the traffic I realized that the CAS admin gave me the wrong path (1..0). I corrected the path and now CAS authenticated me! Thanks for a great module.

    • “CAS admin gave me the wrong path (1..0)”

      The wrong path to what? CAS.php. I’m getting the same error “wpCAS plugin not configured” with a MU install. I’ve moved CAS and it dirs around, changed the wpcas-conf several times with no luck.

  15. @Ben Stoutenburgh:

    1.06 fixes the problem with editing a user’s profile.


  16. I’m having trouble with 1.06.

    I think the problem is the new die() command on line 105 of wpcas.php. It looks like you meant for it to go with the if statement on line 103, but you forgot to add brackets to the if statement.

  17. We are using your library and after login it is returning to the wp-login.php it gives just a blank screen. If I remove the wp-login.php it takes me to the main blog page and I am authenticated. If I disable the plugin, it redirects correctly but of course without the cas login. Do you have any idea of what could be going wrong? Also, what is the simplest way to change the cas/logout?url=http://example.com/blogs to be cas/logout?service=http://example.com/blogs ? When enabled on the CAS server, this will enable the logout to send you back to the blog unauthenticated. The plugin is really nice other than these 2 things. Well done!

    • @Sherwon Harris: I just released a new version that should fix that bug. Please share feedback either way.

      I like your logout suggestion. I’ll try to integrate that in the next version.

  18. Hello,

    I would like to know if anyone tried to mix the CAS and the basic WordPress authentication.

    I have this need but don’t know how to do … please help.

    Thanks by advance.

  19. Hi,
    ( first, sorry for my poor english, I’m french )

    I’ve tested your plugin for a few days and I like it. I just want to know where I can subscribe to be alerted when a new version is available. Comments RSS on this page ?



  20. Hi,,
    i did as described in the installation manual, but I don’t get it running. I get this error message: “Class ‘phpCAS’ not found”. It looks like the include of the CAS.php is missing. But adding an include causes this error: “phpCAS error: phpCAS::isAuthenticated(): this method should not be called before phpCAS::client() or phpCAS::proxy()”. I think I am missing something, but don’t know what…



  21. Sry, forgot to mention that i meant the provisioning-example.php ;-)

  22. Could someone post an example of a working directory structure for phpCAS and wpCAS? The install instructions for MU say to place the wpcas.php and wpcas-conf.php in wp-content/mu-plugins/. I cant see that this has any effect other than when they are in mu-plugins only and not plugins the wpCas isnt listed as an installed plugin.

  23. Hi,

    For me the plugins in the mu-plugins folder is not displayed on the WP admin interface. In this folder, all the plugins are activated. But I agree it’s not easy to know if all a plugins works fine.

    I have :

    don’t forget to configure path to CAS.php in wpcas-conf.php

    Best regards,

    • Thanks Neoh thats helpful.

      I have everything in:


      Still not sure what the value of the wp-content/mu-plugins is? Oh well, i got it working.

      Thanks again.

  24. What is the latest version people have gotten this to work on ?

  25. While trying to get the original cas-authentication plugin to work, I came across your plugin. I’m trying to configure it on 2.9.1 and am having problems with user-new.php. It looks like the password fields are getting cleared again? I’m not super familiar with all the hooks, so I don’t know if there’s one that could write the random password later in the process after the page clears the values. Or maybe it’s just a problem on my site. Could it have anything to do with the password strength checker? Any help is greatly appreciated, and thanks for all the work you’ve already done!

  26. This is working on 2.9.1 for me. I modified to wpcas_nowpuser function to automatically create a new user account in wpcas-conf.php:
    function wpcas_nowpuser( $user_name ){
    $mail_suffix = ‘@mail.gatech.edu’;
    $default_role = ‘administrator’; // or ‘adminsitrator’/'editor’/'contributor’/'subscriber’
    require_once(ABSPATH . WPINC . ‘/registration.php’);

    /* Create a new user account */
    $user_id = username_exists( $user_name );
    if ( !$user_id ) {
    $user_email = $user_name.$mail_suffix; // generate email string
    $random_password = wp_generate_password( 12, false );
    $user_id = wp_create_user( $user_name, $random_password, $user_email );
    $user = new WP_User($user_id);
    wp_redirect( site_url( ‘/wp-admin/’ ));
    } else {
    // $random_password = __(‘User already exists. Password inherited.’);
    die(‘Something went horribly wrong. Maybe I am a teapot?’);

  27. I had exactly the same problem as Ben Stoutenburgh: creating new users in the admin interface failed because of the Javascript-blanked pass1 hidden input. So, I decided to fix it in a more elegant way. I have taken out the hidden fields and added an action to set a random password when the form is submitted.

    === modified file ‘wpcas.php’
    — wpcas.php 2010-03-24 23:50:59 +0000
    +++ wpcas.php 2010-03-25 02:16:13 +0000
    @@ -81,8 +81,13 @@
    add_action(‘password_reset’, array(‘wpCAS’, ‘disable_function’));
    add_filter(‘show_password_fields’, array(‘wpCAS’, ‘show_password_fields’));

    +add_action(‘check_passwords’, array(‘wpCAS’, ‘check_passwords’),10,3);
    class wpCAS {
    + function check_passwords($user, $pass1, $pass2) {
    + $random_password = substr( md5( uniqid( microtime( ))), 0, 8 );
    + $pass1=$pass2=$random_password;
    We call phpCAS to authenticate the user at the appropriate time
    (the script dies there if login was unsuccessful)
    @@ -90,7 +95,7 @@
    function authenticate() {
    global $wpcas_options, $cas_configured;
    if ( !$cas_configured )
    die( __( ‘wpCAS plugin not configured’, ‘wpcas’ ));

    @@ -136,15 +141,6 @@

    // hide password fields on user profile page.
    function show_password_fields( $show_password_fields ) {
    - if( ‘user-new.php’ basename( $_SERVER['PHP_SELF'] ))
    - return false;
    - $random_password = substr( md5( uniqid( microtime( ))), 0, 8 );
    -<input name="pass1" type="hidden" id="pass1" value="” />
    -<input name="pass2" type="hidden" id="pass2" value="” />
    return false;

  28. Hey I’m having some issues with the followup to the CAS login. Once I login to my cas server, I’m redirected back to site.com/wpmu/wp-login.php?ticket=TICKETSTRING, but it’s just showing a blank screen. Unlike Sherwin Harris who posted a similar error last year, if I go to the main blog page after this I am not authenticated.
    Any idea what’s up? Did I miss a config step somewhere?

    Currently using:
    RubyCAS for cas auth
    r221642 of wpcas.php
    v1.1.0 of phpcas by ja-sig
    v2.9.1.1 of WordPress MU

    • Found out what the issue was, didn’t have libcurl installed. Works fine now linux-side.
      New issues though are that phpCas fails to authenticate the user after a successful login after I tried to migrate the entire package to windows/IIS – while I know that at this point it’s outside of the realm of wpcas, anyone had any issues with this before?

  29. First, I love this plugin, thank you! Second, I know that WordPress 3.0 was only just released today but I’m wondering if anyone has tried it under 3.0 and/or if there are plans to update this plugin? This plugin would definitely be a show stopper for us if we couldn’t get it to run under 3.0.

    • wpCAS works with WordPress 3.0 — generate lots of errors in debug mode though. A better programmer than myself should probably fix that. I tried a little bit and was only able to get rid of a few of them.

  30. we are thinking about install the spCAS and is most concerned about the ability to set permissions on commenting in general. Can the comments in WordPress be set up so that users who are members of a certain group are allowed to comment directly while members who are in a different group must have their comments reviewed?

    • Pardon me for butting in… wpCAS only authenticates your users. How you create them is up to you and your ldap provisioning script and commenting system. It would be challenging to set this up, but not, I think, impossible. You would need to have some kind of table of groups, and add users to groups at time of provisioning (and manually for existing users, no doubt), then you’d need to check that table at comment post time. Good luck with that.

  31. wpcas needs to be modified to allow for a null server_path, to allow for a CAS server URL of (e.g.) https://server.xyz.edu/

  32. I am trying to install wpcas plugin, and I configured the plugin as follows for php-cas:
    CAS.php path ==> /Users/sbhatti/src/yoga-rails/public/cas/CAS.php
    server hostname ==> localhost
    server port ==> 443
    server path ==> /cas
    I installed php-cas under /cas root. However, when I try to login in wordpress, it directs me to

    which does not exist. Appreciate any help.

  33. Hi there. I got the latest version of the plugin working with WordPress 3.0.1. The authentication works well, there’s just one small issue. The password reset fields are no longer available from the edit user profile page. If I uninstall the plugin, the fields are once again visible. Is this a known feature that I need to make a configuration change for? I’m a java programmer with zero php experience, so I haven’t tried to debug the php code.

  34. Hi Casey,
    Thanks for your great work.
    I ‘m using wpcas with a WPMU install (3.0.1) with domains (i.e. the domain is blogs.laclasse.com, and the system creates blogs under this domain : mybeautifulbolg.blogs.laclasse.com, for example). The system works perfectly ! It creates users, blogs end gives roles on the fly, with my provisionning php file.
    I ‘ve seen a problem with login/logout, when I want to do this from ‘mybeautifulbolg.blogs.laclasse.com’ : this does not redirect to my CAS server, however the login/logout works perfectly on ‘blogs.laclasse.com’.

    How can I activate wpCAS on sub-domains ? Did I miss something ?

    • Ouch ! Sorry for this dummy question ! I just had to activate wpCas Plugins on the network, and not only on the first blog…
      Thanks for this plugin which works fine.

      I have a complete provisionning php system which creates users and/or blogs if needed, with default parameters for each. If someone is interested I can publish some functions. This is working with CAS2 cleint (wiich send others attributes than only ‘user’ attribute).

  35. Single sign out and WordPress

    phpCAS version 1.1.3
    wpcas version 1.07
    Wordpress version 3.0.1

    I’m adding WordPress to a site that uses CAS single sign on/out. Everything works well except signal sign out from WordPress. If I open two pages/tabs in the browser and logout from one (a java portlet page) the CAS server sends out the logout request to all logged in clients. I catch this in wpcas with a call to phpCAS::handleLogoutRequests which handles the logout request, here’s some of the phpCAS::trace

    D8FD .START phpCAS-1.1.3 ****************** [CAS.php:471]
    D8FD .=> phpCAS::client(’2.0′, ‘cas.internal’, 443, ‘/cas/’, true) [wpcas.php:71]
    D8FD .| => CASClient::CASClient(’2.0′, false, ‘cas.internal’, 443, ‘/cas/’, true) [CAS.php:374]
    D8FD .| <= ''
    D8FD . include_once(‘/var/www/20101108_1300_blog/wp-content/plugins/wpcas/wpcas.php’) [wp-settings.php:175]
    D8FD .| => CASClient::handleLogoutRequests(true, array ( 0 => ‘cas.internal’, 1 => ’′,)) [CAS.php:1041]
    D8FD .| | Logout requested
    D8FD .| | SAML REQUEST: @NOT_USED@ST-538-LvawXr7BrxeSeUtxxvz3-cas
    D8FD .| | Client:
    D8FD .| | Allowed client ‘cas.internal’ does not match
    D8FD .| | Allowed client ’′ matches, logout request is allowed
    D8FD .| | Ticket to logout: ST-538-LvawXr7BrxeSeUtxxvz3-cas
    D8FD .| | Session id: ST538LvawXr7BrxeSeUtxxvz3cas
    D8FD .| | exit()
    D8FD .| | -
    D8FD .| -

    Even though ‘handleLogoutRequests’ clears the cookies on the server, because it’s not returning to the client in that call, the client still has it’s cookies set, and subsequent calls to the server from that browser, send these cookies back in the headers. WordPress uses the cookies to authenticate the client, and so it remains logged in.

    If anyone has any ideas, or has this already working, I would be interested in your views and/or opinions.

  36. Hello! Thanks for the plugin!
    With the new version of CAS 1.2.2, it is needed that the phpCAS::client call would specify “false” for session creation, here’s the patch that works for me (around line 66):

    if ($cas_configured) {
    false); <— LINE 66, add "FALSE", phpCAS do not let phpcas do start_session

    // function added in phpCAS v. 0.6.0
    // checking for static method existance is frustrating in php4

  37. hey!
    i’ve useing wpcas in wordpress 3.3.1 with extranet and have some trouble with authentication with frontend proxy service.

    if i add the “false” in wpcas-w-ldap.php i ran into a redirect loop of wp-login.php and could not authenticate proper.

    if’ve added ip-ranges for public and cas auth required access. (apache mod_auth_cas)

    on the publicip-access side i can sucessfull login to apache site with cas.
    when i login to wordpress (using cas) i also get into a wp-login.php loop ;-(

    this all had worked in wordpress 3.3.0 – the problem comes with 3.3.1.
    i know in 3.3.1 some security relevated issues depanding redirects have been fixed…

    any ideas??


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">