CAS authentication for Redmine

It’s been a while since I wanted to integrate Redmine with my CAS server at $WORK. Unfortunately, Redmine only supports its integrated login/password, LDAP auth and OpenID. There are existing demands on this topic (#2965 for instance) but Redmine developers always refused to implement such specific authentications in the core itself. I approve this choice, I think they should even drop OpenID, and maybe LDAP support (hard to maintain so many things, the core should be leaner).

Existing solutions

I’m only aware of two existing solutions if you want to authenticate your Redmine users against CAS :

To be honest, I also wanted to try to the OmniAuth authentication framework and see if it could help integrating Redmine with external authentication sources (not only CAS).


OmniAuth (blog post) is an awesome authentication framework built as a Rack middleware.

It has a pretty simple workflow for external authentication sources. If we take the example of CAS :

OmniAuth is covered in 3 railscasts, but the one that has been really helpful is #241 Simple OmniAuth.

The “redmine_omniauth_cas” plugin

I spent some hours last week-end to build the “redmine_omniauth_cas” plugin. The code is on github. It relies on OmniAuth for (optionally) authenticating your users against a CAS server. The CAS server has to be configured in the plugin configuration section. It’s only compatible with Redmine 1.2.0 since latest versions of OmniAuth are not compatible with Rack 1.0.1.

There are currently some limitations I plan to improve in the next versions :

I also plan to contribute to OmniAuth and especially the CAS provider. The current implementation is functional but not so flexible, since it doesn’t support OmniAuth’s mechanisms to setup the CAS options at runtime.


This plugin is a first try at using OmniAuth with Redmine, but I could easily imagine building plugins to authenticate against other sources. I hope it will be useful for some of you. I think it could even be a viable option to throw OpenID support out of the core, and let it live its life in a clean plugin. Stay tuned !