Skip to end of metadata
Go to start of metadata


CAS can handle both single sign-in and single sign-out for KC and Rice applications.  The single sign-in setup for CAS requires three filters (AuthenticationFilter, Cas20ProxyReceivingTicketValidationFilter, and HttpServletRequestWrapperFilter) to sign in.  The single sign-out setup however requires both a filter (SingleSignOutFilter) and a listener (SingleSignOutHttpSessionListener) to cleanly sign out of the application.


  1. A working installation of CAS
  2. KC version 3.1 or greater
  3. Rice version or greater (if working in embedded mode)


The following instructions are for embedded mode.  If you need to setup CAS in bundled mode, ignore the comments about modifying rice-config.xml.

1. Be sure you are using the latest versions of the templates for $HOME/kuali/main/dev/kc-config.xml and $HOME/kuali/main/dev/rice-config.xml, as these do change periodically from time to time.

2. Edit both your kc-config.xml and rice-config.xml and add the following filters and listeners.

4. Edit both your kc-config.xml and rice-config.xml and replace the following entries of rice.portal.logout.redirectUrl with the CAS logout URL.

5. Your config files may have an entry for the DummyLoginFilter.  Be sure to comment this out so KC/Rice points to CAS.


  • In order to authenticate against KIM, you will need to implement org.jasig.cas.client.authentication.AuthenticationFilter and include
    to query the KIM database.  This implementation is done on the CAS server side; no code modification in KC is required.
  • Once a user has successfully authenticated through CAS, by default they are directed to the org.kuali.rice.kew.web.UserLoginFilter which uses the to setup the user session.  Your Rice installation will have to have your users installed before this authentication will succeed.
  • No labels