Central Authentication Service (CAS)

Minimum version required

Most of the directives described in this document require EZproxy 3.6d GA (2006-03-17) or later.

The original CAS support appeared in EZproxy 3.4c GA (2005-08-02) and is documented toward the end of this page.


To enable Central Authentication Service (CAS), edit user.txt/ezproxy.usr and add lines similar to:

LoginURL http://www.yourlib.org/cas/login
ServiceValidateURL http://www.yourlib.org/cas/serviceValidate

By default, the use of CAS disables EZproxy's normal login methods, including the presentation of the login menu.

This form also supports the general directives Admin, Allow, Authenticated, Banner, Debug, Deny, Group, Invalid, NoGroups, Refused, Stop, Unknown, User, and UsrVar, plus a specialized version of Test to check tag values using an XPath to specify the tag to check. For example:

LoginURL http://www.yourlib.org/cas/login
ServiceValidateURL http://www.yourlib.org/cas/serviceValidate
Group NULL
Test -RE cas:group (Undergrad|Grad); Group +Student
Test //*/cas:group Employees; Group +Employee
Test /cas:authenticationSuccess/cas:groups/cas:group Staff; Group +Staff
NoGroups; Deny unaffiliated.html

For this example to work, config.txt/ezproxy.cfg would need to default the Student, Employee, and Staff groups as well.

The Debug directive tells EZproxy to record additional diagnostic messages to messages.txt/ezproxy.msg. This includes recording the entire XML response from the Service Validation URL, which can help in sorting out which attributes are available to use for making authentication decisions.

In all three tests, the tag cas:group is being tested. The first and second tests use an identical search to locate tags, as EZproxy assumes a search from the root across all nodes if no path infomation is included. The third test uses an absolute path to the tag.

Original CAS support

CAS support was first added in EZproxy 3.4a GA (2005-08-02) or later. That original syntax is still supported and is entered in user.txt/ezproxy.usr similar to this:


changing the URLs to point to your institution's CAS login and service validate URLs.