Probably depends on #551 to be fixed to implement CAS logout.

Note: phpCAS depends on the PEAR DB package and there’s no indication if the developers will migrate to PEAR MDB2.

Hi, I just finished writing a CAS plugin using phpCAS.

Is there interest in this work? I will be able to release this shortly.

avel, I'm sure there is interest. Maybe post your plugin here, with a README and explaining the differences with this plugin. Thanks!

PS: does it work with the current trunk too? we made some changes in the Login plugin, and I'm not sure if this breaks other Login plugins or not?

I'm not sure if it works with latest trunk, will need to test; it was developed on piwik 0.5.5.

I will post the plugin here in a couple of days. First I need to do some cleanups, make some things configurable and document the behavior I've chosen.

Regards,
Alexandros Vellis

Attaching a "0.1" working package.

From the README:

User Provisioning Rationale

CASLogin currently authenticates users against the CAS service, but then
authorizes them to piwik according to the user configuration tables inside
piwik itself.

To make this work, first you need to make sure that the user that logs in
also exists in piwik user tables and has some rights to view or edit sites.

The superuser login value in piwik itself should also correspond to a proper
user in CAS.

So a way to make this work in new piwik installations is:

• In main piwik configuration, set the "login" in [superuser] section to
  correspond to an actual CAS user.
• Enable the CASLogin plugin (see "Installation" below).
• Log in as the superuser. Go to Settings -> Users. Add a username (just
  the actual username is needed, other data can be left empty). And for that
  username, add some rights.

A further authorization and auto-provisioning mechanism can be written based
on specific SAML attributes or any other data. See "Further Customization,
Hacking" below.

Installation

• Disable the "Login" plugin in administration panel.
• Enable the "CASLogin" plugin.
• In your main config/config.ini.php piwik configuration file, add a section that reads like this:

[caslogin]
protocol = SAML_VERSION_1_1
host = login.example.org
port = 443

Option "protocol" is one of CAS_VERSION_1_0, CAS_VERSION_2_0 or SAML_VERSION_1_1 .

Further Customization, Hacking

If you want to grab some additional attributes, e.g. SAML, from your login
server, then you can edit the file Auth.php. Search for "Additional
Attributes", that's where they can be added to the session and made available
to piwik.

If you want a user to be added automatically to the piwik users database, edit
Auth.php and search for "User Autocreate". This is the place where you can
enable adding to the database and probably add some default ACLs later,
depending on specific SAML attributes or anything else you use in your CAS
solution. The superuser can add rights by hand, or you can choose to add
them at this step using the piwik API.

TODO

• Coding style
• Credit the authors of the plugins CASLogin was based on
• Remove some duplicate functions
• Allow more configurable provisioning
• Make default login page somewhat more elegant

Attachment:
CASLogin-0.1.tar.gz

Perhaps a piwik developer could put this ticket in milestone "Third party piwik plugins" and rename it to "Login via CAS" so that it can get more exposure and feedback.

I am attaching a new version 0.2.

Known Issue

When one tries to add a user in piwik tables in order to authorize them, one has to enter dummy data in "password" field (which is not used) and has to fill in an e-mail address too.

It's a minor inconvenience for the superuser who authorizes other users manually in piwik administration interface.

Changelog

0.2: Fixes and slight improvements

• Added the config option "additional root logins"
• Small bugfix in login template
• Cleanups
• Coding style fixes

Additional Options

By default, only the user defined in piwik configuration (config/config.ini.php) in the [superuser] section is regarded as a superuser / root administrator.

However, with the CAS Login scheme, you might need to add additional accounts as superusers, each one of them logging in as normal with their own password.

If you'd like to do that, add these accounts in section [caslogin] as follows:

additionalsuperusers[] = uid1
additionalsuperusers[] = uid2

Note for this ticket: why am I not allowing a simple username/password login against the piwik database, like the Login plugin does? Because that would require including an extra username/password form in the login page. Just for that one superuser. That's why I include only the link to CAS login and just authorize a superuser later in piwik.

Feedback is welcome.

Attachment:
CASLogin-0.2.tar.gz

I am attaching CASLogin 0.3, for anyone who might be interested. It has been at use at our environment for some weeks now, without any apparent issues.

Your feedback is still welcome.

Changelog

0.3:

• Enabled single signout feature
• Upgraded to phpCAS library 1.1.0RC8
• Slightly modified phpCAS so as not to emit any PHP 5.3 warnings / deprecated messages.
• Compatible with Piwik 0.6.x.
• Allows use of CoreUpdater without signing in via CAS. (Fixed bug with endless loop redirects).

Attachment:
CASLogin-0.3.tar.gz

I am attaching CASLogin 0.4. There is a security update of the bundled phpCAS library, which is now version 1.1.2, and the plugin was briefly tested and confirmed to work with piwik 0.8.

Attachment:
CASLogin-0.4.tar.gz

Note about the security fixes of phpCAS 1.1.2: According to the Changelog:

• Fix a session hijacking hole CVE-2010-2795 [PHPCAS-61](Joachim Fritschi)
• callbackurl in proxy mode should be urlencoded, possible XSS CVE-2010-2796 [PHPCAS-67](Joachim Fritschi)

If you are using CASLogin in a production environment, you are urged to either upgrade the plugin or upgrade the bundled phpCAS library.

Version 0.5, attached below, fixes a compatibility issue with Piwik 0.8.

Attachment:
CASLogin-0.5.tar.gz

I'll attempt to update this plugin later today. (I won't be able to test it though.)

The following security issues are addressed in phpcas 1.1.3:

• CVE-2010-3690 phpCAS: XSS during a proxy callback [PHPCAS-80](Joachim Fritschi)
• CVE-2010-3691 phpCAS: prevent symlink attacks during a proxy callback [PHPCAS-80](Joachim Fritschi)
• CVE-2010-3692 phpCAS: directory traversal during a proxy callback [PHPCAS-80](Joachim Fritschi)

Piwik 1.1 may have also introduced some compatibility issues as there are references to new view properties in the Login module's templates (eg enableFramedlogins).

• Security : Upgraded bundled phpCAS to version 1.1.3. See CVE-2010-3690, CVE-2010-3691, CVE-2010-3692
• Work with Piwik 1.1.1 (Fixed bug with enableFramedlogins)

Attachment:
CASLogin-0.6.tgz

Attachment:
CASLogin-0.6.2.tgz

The version 0.6.2 display now the good version in thepiwik plugin interface.

Maybe I'm missing something, but it appears that with the CAS plugin active, the "archive.sh" and other API based command line tools fail. Is there a way to flag the system so API calls and other administrative tasks do not have to authenticate with CAS?

Or maybe even a special array of usernames that can bypass CAS? Kind of like the way Unix allows you to step through various authentication methods until one works before rejecting a login?

Hello,

i started using this plugin. It is really cool and works.
But there seems to be a problem with languages that include special characters. For example: If a User with an Umlaut like , , tries to log in via the CAS-Plugin, we get the following Error:

There is an error. Please report the message and full backtrace in the Piwik forums.

Warning: DOMDocument::loadXML(): Input is not proper UTF-8, indicate encoding !Bytes: 0xF6 0x67 0x65 0x72 in Entity, line: 14 in
/path/to/piwik/plugins/CASLogin/CAS/CAS/domxml-php4-to-php5.php on line 72

Backtrace -->
#0 Piwik_ErrorHandler(2, DOMDocument::loadXML(): Input is not proper UTF-8, indicate encoding !Bytes: 0xF6 0x67 0x65 0x72 in Entity, line: 14,
/path/to/piwik/plugins/CASLogin/CAS/CAS/domxml-php4-to-php5.php, 72, Array ([str] => <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess> <cas:user>user</cas:user> <!-- Begin Ldap Attributes --> <cas:attributes> <cas:GivenName>Mr</cas:GivenName>
<cas:Surname>Mller</cas:Surname> <cas:Mail>mail@example.com</cas:Mail> </cas:attributes> <!-- End Ldap Attributes -->
</cas:authenticationSuccess></cas:serviceResponse>,[mode] => 0,[error] => ,[dom] => php4DOMDocument Object ([myDOMNode] => DOMDocument Object
(),[myOwnerDocument] => php4DOMDocument Object ( *RECURSION*),[errorMode] => ))#1 DOMDocument->loadXML(<cas:serviceResponse
xmlns:cas='X'> <cas:authenticationSuccess> <cas:user>user</cas:user> <!-- Begin Ldap Attributes --> <cas:attributes>
<cas:GivenName>Mr</cas:GivenName> <cas:Surname>Mller</cas:Surname> <cas:Mail>mail@example.com</cas:Mail> </cas:attributes> <!-- End Ldap
Attributes --> </cas:authenticationSuccess></cas:serviceResponse>) called at [/path/to/piwik/plugins/CASLogin/CAS/CAS/domxml-php4-to-php5.php:72]#2
domxml_open_mem(<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>user</cas:user> <!-- Begin Ldap Attributes
--> <cas:attributes> <cas:GivenName>Mr</cas:GivenName> <cas:Surname>Mller</cas:Surname> <cas:Mail>mail@example.com</cas:Mail>
</cas:attributes> <!-- End Ldap Attributes --> </cas:authenticationSuccess></cas:serviceResponse>) called at
[/path/to/piwik/plugins/CASLogin/CAS/CAS/client.php:2544]#3
CASClient->validatePT(X/cas/proxyValidate?service=https%3A%2F%2Fexample.piwiktracking.de%2Fpiwik%2Findex.php%3Fmodule%3DCASLogin%26action%3DredirectToCAS&ticket=ST-219-Fbm9AGJWRDE7kgVp3iTQ-cas,
<cas:serviceResponse xmlns:cas='X'> <cas:authenticationSuccess> <cas:user>user</cas:user> <!-- Begin Ldap Attributes -->
<cas:attributes> <cas:GivenName>Mr</cas:GivenName> <cas:Surname>Mller</cas:Surname> <cas:Mail>mail@example.com</cas:Mail>
</cas:attributes> <!-- End Ldap Attributes --> </cas:authenticationSuccess></cas:serviceResponse>, ) called at
[/path/to/piwik/plugins/CASLogin/CAS/CAS/client.php:1006]#4 CASClient->isAuthenticated() called at
[/path/to/piwik/plugins/CASLogin/CAS/CAS/client.php:915]#5 CASClient->checkAuthentication() called at
[/path/to/piwik/plugins/CASLogin/CAS/CAS.php:865]#6 phpCAS->checkAuthentication() called at [/path/to/piwik/plugins/CASLogin/Auth.php:68]#7
Piwik_CASLogin_Auth->authenticate() called at [/path/to/piwik/core/Access.php:131]#8 Piwik_Access->reloadAccess(Piwik_CASLogin_Auth Object ([] => ,[] =>
)) called at [/path/to/piwik/core/FrontController.php:243]#9 Piwik_FrontController->init() called at [/path/to/piwik/index.php:56]


CAS Authentication failed!

You were not authenticated.

Thanks alot in advance,

yato

To reply to eashman, since I haven't had time to update the plugin:

Yes, archive.sh cannot run. CASLogin needs to be fixed. However, what I have done in my installations as a temporary workaround is: copy the whole directory tree of piwik to another location; change that directory's configuration to not use CASLogin plugin; point cron's archive.sh to that directory. It's beyond ugly but it works.

There are also further bugs and logic errors that need to be fixed. I haven't checked ow's changes yet to confirm that they fix them. I might be able to pick it up again in the near future (2 or 3 months' time).

Hello

CAS Authentication failed!

You were not authenticated.

The bug i had was a configuration of the CASserver. We changed the encoding to utf8 on the server side (was i8... before).
Works now.

yato

hello
Just try to test this plugin but have some errors :
Warning: DOMDocument::loadXML(): Space required after the Public Identifier in Entity, line: 1 in /var/www/piwik2/plugins/CASLogin/CAS/CAS/domxml-php4-to-php5.php on line 72

Backtrace -->
#0 Piwik_ErrorHandler(2, DOMDocument::loadXML(): Space required after the Public Identifier in Entity, line: 1, /var/www/piwik2/plugins/CASLogin/CAS/CAS/domxml-php4-to-php5.php, 72, Array ([=> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://cas3.xxx.fr/cas/?TARGET=http%3A%2F%2Fxxx.fr%2Fpiwik-dev%2Findex.php%3Fmodule%3DCASLogin%26action%3Dlogin">here</a>.</p><hr><address>Apache Server at cas3.xxx.fr Port 443</address></body></html>,mode => 0,[=> ,dom => php4DOMDocument Object ([=> DOMDocument Object (),myOwnerDocument => php4DOMDocument Object ( RECURSION),[=> ))#1 DOMDocument->loadXML(<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://cas3.xxx.fr/cas/?TARGET=http%3A%2F%2Fxxx.fr%2Fpiwik-dev%2Findex.php%3Fmodule%3DCASLogin%26action%3Dlogin">here</a>.</p><hr><address>Apache Server at cas3.xxx.fr Port 443</address></body></html>) called at /var/www/piwik2/plugins/CASLogin/CAS/CAS/domxml-php4-to-php5.php:72#2 domxml_open_mem(<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://cas3.xxx.fr/cas/?TARGET=http%3A%2F%2Fwww-stats.xxx.fr%2Fpiwik-dev%2Findex.php%3Fmodule%3DCASLogin%26action%3Dlogin">here</a>.</p><hr><address>Apache Server at cas3.xxx.fr Port 443</address></body></html>) called at [CASClient->validateSA(, <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://cas3.xxx.fr/cas/?TARGET=http%3A%2F%2Fwww-stats.xxx.fr%2Fpiwik-dev%2Findex.php%3Fmodule%3DCASLogin%26action%3Dlogin">here</a>.</p><hr><address>Apache Server at cas3.xxx.fr Port 443</address></body></html>, ) called at /var/www/piwik2/plugins/CASLogin/CAS/CAS/client.php:1019#4 CASClient->isAuthenticated() called at [CASClient->checkAuthentication() called at /var/www/piwik2/plugins/CASLogin/CAS/CAS.php:865#6 phpCAS->checkAuthentication() called at [Piwik_CASLogin_Auth->authenticate() called at /var/www/piwik2/core/Access.php:131#8 Piwik_Access->reloadAccess(Piwik_CASLogin_Auth Object ([=> , => )) called at [Piwik_FrontController->init() called at /var/www/piwik2/index.php:57

Attachment:
CASLogin-0.6.3.tgz

After upgrading to Piwik 1.6 I received a lot of missing variable errors. See this thread http://forum.piwik.org/read.php?2,83925.
I've attached a new version [http://issues.piwik.org/attachments/598/CASLogin-0.6.3.tgz] to resolve these issues.

tkuipers, thanks for fixing the bug!

Hi,

I just wanted to know if the 0.6.3 version of this plugin still works with piwik 1.9.x releases ? (could try on a test server, but if anyone already knows the answer...)
By the way, I had quite the same problem (and solution) as avel in comment ticket:598#comment:20, the CASLogin plugin interfere with the command line authentication mecanism used by archive.sh or whatever other scipt called from command line (when upgrading piwik for example).
Does someone still maintain this plugin ? If yes, could this be looked into ? that would be a good enhancement.

Thanks for the good work anyway, it is a really useful plugin in a CAS environment ;-)

Hi ycezard,

Replying to ycezard:

I just wanted to know if the 0.6.3 version of this plugin still works with piwik 1.9.x releases ? (could try on a test server, but if anyone already knows the answer...)

I've just upgraded my development Piwik instance to 1.9.1 and the CAS plugin version 0.6.3 appears to be working.

By the way, I had quite the same problem (and solution) as avel in comment ticket:598#comment:20, the CASLogin plugin interfere with the command line authentication mecanism used by archive.sh or whatever other scipt called from command line (when upgrading piwik for example).
Does someone still maintain this plugin ? If yes, could this be looked into ? that would be a good enhancement.

Thanks for the good work anyway, it is a really useful plugin in a CAS environment ;-)

I don't actively maintain this plugin, I'm not the original author, but luckily I was able to get it working with recent versions of Piwik. I'm not PHP developer and I'm unable to address the issues you have with command line authentication. BTW, using the Piwik API is also problematic when using the CAS plugin.

There was a feature request to make CAS / LDAP Authentication a native feature of Piwik: http://forum.piwik.org/read.php?3,78340

Anyone interested in implementing this?

Thanks for the fast answer, I can confirm that the CASLOgin plugin 0.6.3 works fine in piwik 1.9.1.
I am not a PHP developper myself, but if I can take the time to look into it and help fixing this little issue, I'll do !

Replying to rbalfanz:

Single sign-on authentication would be useful when incorporating Piwik into existing environments already using CAS.

Hello,

I've just installed Piwik 1.10, and the CASLogin on a new CentOS server.

I've disabled the Login plugins and configured the CASLogin as my others piwik servers.

But when I'm going on my piwik page, I've got a blank empty page. No link "connection" which send me to the CAS like my others servers.

I don't understand why... Nothing in error log of apache.
Where is a way to show debug informations?

Another thing: If I manualy go to my CAS server login page, and log me, then if I return to my piwik page, I'm logged...

If anyone have an idea?

I hope you understand my english, because I'm french and I don't speak english very well...

Thanks!

Replying to sgrunt:

Hello,

I've just installed Piwik 1.10, and the CASLogin on a new CentOS server.

I've disabled the Login plugins and configured the CASLogin as my others piwik servers.

But when I'm going on my piwik page, I've got a blank empty page. No link "connection" which send me to the CAS like my others servers.

I don't understand why... Nothing in error log of apache.
Where is a way to show debug informations?

Another thing: If I manualy go to my CAS server login page, and log me, then if I return to my piwik page, I'm logged...

I have the exact same symptoms with Piwik 1.10.1. No errors in logs, just a blank page. Turning on error logging in .htaccess for php provides no additional information. I have had random success with logging into CAS separately then going to piwik, but it's not consistent behavior.

Replying to racooper:

Replying to sgrunt:

Hello,

I've just installed Piwik 1.10, and the CASLogin on a new CentOS server.

I've disabled the Login plugins and configured the CASLogin as my others piwik servers.

But when I'm going on my piwik page, I've got a blank empty page. No link "connection" which send me to the CAS like my others servers.

I don't understand why... Nothing in error log of apache.
Where is a way to show debug informations?

Another thing: If I manualy go to my CAS server login page, and log me, then if I return to my piwik page, I'm logged...

I have the exact same symptoms with Piwik 1.10.1. No errors in logs, just a blank page. Turning on error logging in .htaccess for php provides no additional information. I have had random success with logging into CAS separately then going to piwik, but it's not consistent behavior.

Hi,

I haven't got (get?) any answer to this trouble over the Internet. So I've looked over the plugins code and make a little change.

In the file Auth.php, line 66, I've commented "$action = Piwik::getAction();" and put "$action = "redirectToCAS";" at the place.

This for automaticaly redirect to the CAS login page.
I know this is crafting (bricolage in french), but it solve my problem in my case.

I hope you'll understand my english :S and this tip will help anyone.

Tell me if you find a better solution.

Best Regards,

Sgrunt

Hi,

I also experienced issues logging after upgrading to 1.10.1. I'm also using the CAS plugin. I managed to login with CAS to 1.10.1 after disabling the "MobileMessaging" plugin.
There's a separate topic about login errors after upgrading to Piwik 1.10 here: http://forum.piwik.org/read.php?2,99650

What worked for me is described here: http://forum.piwik.org/read.php?2,99650,page=2#msg-100619

This is my list of plugins:

[Plugins]
Plugins[] = "CorePluginsAdmin"
Plugins[] = "CoreAdminHome"
Plugins[] = "CoreHome"
Plugins[] = "Proxy"
Plugins[] = "API"
Plugins[] = "Widgetize"
Plugins[] = "LanguagesManager"
Plugins[] = "Actions"
Plugins[] = "Dashboard"
Plugins[] = "MultiSites"
Plugins[] = "Referers"
Plugins[] = "UserSettings"
Plugins[] = "Goals"
Plugins[] = "SEO"
Plugins[] = "UserCountry"
Plugins[] = "VisitsSummary"
Plugins[] = "VisitFrequency"
Plugins[] = "VisitTime"
Plugins[] = "VisitorInterest"
Plugins[] = "ExampleAPI"
Plugins[] = "ExamplePlugin"
Plugins[] = "ExampleRssWidget"
Plugins[] = "Provider"
Plugins[] = "Feedback"
Plugins[] = "Login"
Plugins[] = "UsersManager"
Plugins[] = "SitesManager"
Plugins[] = "Installation"
Plugins[] = "CoreUpdater"
Plugins[] = "PDFReports"
Plugins[] = "UserCountryMap"
Plugins[] = "Live"
Plugins[] = "CustomVariables"
Plugins[] = "CASLogin"
Plugins[] = "DBStats"
Plugins[] = "PrivacyManager"
Plugins[] = "SecurityInfo"
Plugins[] = "CoreHome"
Plugins[] = "CoreUpdater"
Plugins[] = "CoreAdminHome"
Plugins[] = "CorePluginsAdmin"
Plugins[] = "Installation"
Plugins[] = "SitesManager"
Plugins[] = "UsersManager"
Plugins[] = "API"
Plugins[] = "Proxy"
Plugins[] = "LanguagesManager"
Plugins[] = "MobileAnalytics"
Plugins[] = "Transitions"
Plugins[] = "Annotations"
; Plugins[] = "MobileMessaging"
Plugins[] = "Overlay"

Hello,

at the moment we're using Piwik 1.9.2 with the CASLogin Plugin, because we have a Songle-Sign-On in our company. After I put the Do-Not-Track iFrame on the webpage, I realized an issue. The checkbox wont show until I am logged in the SSO. If I'm not logged in and i copy the iFrame URL ito my browser, it redirects me to the Piwik login screen.

Anyone has the same issue or maybe a solution for this issue, I would apprechiate it very much. Thanks in advance.

Greetings

Note: a feature request was created in: #3923: Add a feature to auto-archiving that makes it compatible with CAS plugin

With Piwik 1.11.1 it seems to work perfectly.
I had to change the Auth.php, because I need two additional parameters:

Our CAS server has no own subdomain, it is reachable with a path www.ourdomain.com/cas/

                        phpCAS::client(
                                constant( Zend_Registry::get('config')->caslogin->protocol ),
                                Zend_Registry::get('config')->caslogin->host,
                                (integer) Zend_Registry::get('config')->caslogin->port,
                '/cas',
                false
                        );

I've inserted the fourth parameter "/cas".

After the lines above I have inserted

because the validate URL differs (!) from the CAS-Login-URL, because of a reverse proxy environment.

Can someone transfer these two parameters to the config/config.ini.php?

Has anyone gotten CASLogin to work with database sessions (i.e. session_save_handler=dbtable)? In my case, login by CAS works when sessions are stored in files and database sessions work without CASLogin enabled but I'm not seeing sessions get created once CASLogin and database sessions are enabled together.

I also notice the phpCAS version bundled with this plugin is very old and contains multiple security vulnerabilities. The newest phpCAS appears compatible so it might be worthwhile to bundle a newer version for visitors using the CASLogin plugin without updating phpCAS. I haven't tested extensively so I won't presume to attach it myself.

Along with the Piwik 2.0 release and new design for Piwik, we have also launched the official Plugins Marketplace to let any developer share their work to the thousands of Piwik users worldwide.

Maybe you'd like to publish your plugin there?

In any case, keep up the good work and we hope you enjoy Piwik 2!

--> See also example of the Ldap plugin #734 published on the Marketplace at: http://plugins.piwik.org/LoginLdap

Attachment: Version compatible with Piwik 2.1
CASLogin-0.7.tgz

Hi, I'm attaching a Piwik 2.1 compatible version.

Changelog

0.7

• Compatible with Piwik 2.1
• Removed the "additional root logins" option (Piwik handles multiple superusers natively now)
• Added custom CAS login image
• Upgrade to phpCAS-1.3.2

Attachment: Bugfix.
CASLogin-0.7.1.tgz

0.7.1

• Fixed error in Auth::authenticate causing phpCAS::client to be called twice.