node package manager


Connect middleware for a node CAS client

Connect CAS

Connect cas is a connect-based middleware that allows you to authenticate through a CAS 2.0+ server. It supports the gateway auth, single sign-out, and proxying other CAS clients.

Adapted from

npm install connect-cas

Many of these options are borrowed from node's url documentation. You may set global options through the .configure() method or override them with any of the exposed middleware.

  • procotol The protocol to communicate with the CAS Server. Defaults to 'https'.
  • host CAS server hostname
  • port CAS server port number. Defaults to 443.
  • gateway Send all validation requests through the CAS gateway feature. Defaults to false.
  • paths
    • serviceValidate Path to validate TGT
    • proxyValidate Path to validate PGT (not implemented)
    • proxy Path to obtain a proxy ticket
    • login Path to the CAS login
var cas = require('connect-cas');
var connect = require('connect');
  .use(connect.cookieParser('hello world'))
  .use(connect.cookieSession()) // or whatever session store 

To proxy services, you can configure the serviceValidate middleware like below:

  .use(cas.serviceValidate({pgtUrl: '/pgtCallback'}))
  .use(cas.proxyTicket({targetService: 'https://service-to-proxy/blah'});

The proxy granting ticket value will be available in req.session.pgt and a hash of proxy tickets are available in You may then append that proxy ticket manually to the services you wish to proxy. To reuse the proxy tickets, see #25.

You may also pass in an absolute url if you wish for the pgtCallback to be in a separate app. If so, pass in an additional pgtFn:

.use(cas.serviceValidate({pgtUrl: '', pgtFn:function(pgtIou, cb){
  // given the pgtIou, retrieve the pgtId however you can.  Then call ...
  cb(err, 'PGT-thepgtid');
  • If you are behind an https proxy, be sure to set X-Forwarded-Proto headers. Connect-cas uses it to infer its own location for redirection.