Hi, I got Single Sign-On working with different python apps in different virtual environments. Its combination of django-mama-cas as a server, and django-cas-ng on the clients. SSO is piece of cake. 9I referred the documentation and this article as well.

But, I have noticed that on Logout from one app, I am still Signed into the other apps. On the terminal (after running manage.py runserver), I see that the SLO (Single log out) messages are not sent to any other app if the LOGOUT_URL is not HTTPS.

But, when I set LOGOUT_URL = 'https://', it tries to send the Logout message. But, since I am running in development environment, so I get the following error:

requests.exceptions.ProxyError: HTTPSConnectionPool(host='127.0.1.1', port=9898): Max retries exceeded with url: /admin/callback (Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 403 Forbidden',)))

That most likely due to the self-signed SSL certificates.
Can you please tell me if this is the desired behavior to have LOGOUT_URL as HTTPS? And, any specific procedure to look at the logs of django-mama-cas only which will help to troubleshoot this?

Although I set the relevant properties, the expire doesn't seem to work.When over the time, it still can be visit without logining.Thanks！
models.py.txt

I did not understand exactly why a ticket can only be used one time. If I check if it is valid only one time it is no longer valid because it was consumed.

This forces the user to log in all the time on the site!

Can anyone give me a hand in this issue ?

Currently, any username having one or more upper-case characters fails to authenticate.

It's easy to lower() all usernames upon their initial registration, but should that be a requirement for the use of mama-cas?

I suppose it's normal these days for services to consider usernames to be case-insensitive, but I hope there are some exceptions out there.

Yet even if case-insensitivity is the rule, mama-cas still must successfully authenticate usernames with capitals.

Optimally, I'd like a setting such as MAMA_CAS_CASE_SENSITIVE that defaults to False. What do you think, Jason?

With or without that, clean_username needs to be replaced. The correct solution is probably a pre-save signal handler.

Cf: forms.py line 27

Hey there,

Thanks a bunch for your work. Found the following incompatibility towards Django 1.7:

Traceback (most recent call last):
  File "/var/lib/sso/mama_cas/forms.py", line 41, in clean
    self.user = authenticate(username=username, password=password)
  File "/usr/lib/python2.7/dist-packages/django/contrib/auth/__init__.py", line 51, in authenticate
    for backend in get_backends():
  File "/usr/lib/python2.7/dist-packages/django/contrib/auth/__init__.py", line 26, in get_backends
    backends.append(load_backend(backend_path))
  File "/usr/lib/python2.7/dist-packages/django/contrib/auth/__init__.py", line 20, in load_backend
    return import_string(path)()
  File "/usr/lib/python2.7/dist-packages/django/utils/module_loading.py", line 26, in import_string
    module = import_module(module_path)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/usr/lib/python2.7/dist-packages/django_auth_ldap/backend.py", line 59, in <module>
    from django.contrib.auth.models import User, Group, Permission, SiteProfileNotAvailable
ImportError: cannot import name SiteProfileNotAvailable

Is it possible to push a new release to pypi? I really need the changes from #75.

It would be greate if we have a simple example of the server and how the client will connect to it. Which urls to use etc.

Which CAS client do you recommend?

Great project by the way!

Hey,

I am using mama-cas library for one of my course project. I have two services (Django applications) relying on mama-cas as SSO. I have everything setup and these 3 servers (CAS Server, Service 1 and Service 2) are running on separate servers. Lets say they are running at:
CAS Server - cas_server.domain.com
Service 1 - service1.domain.com
Service 2 - serivce2.domain.com

Now Once I'm logged in to CAS Server I should be able to access Service 1 and Service 2 seamlessly without being redirected to CAS Server and being prompted for username/password but it doesn't happen and It prompts me for username/password for each service. Am I missing any configuration here or mama-cas doesn't support this yet?

I have a demo project running [1] to test shared login across multiple clients. Server is jbittel/django-mama-cas and clients are running vanilla mingchen/django-cas-ng.

Both clients can authenticate fine, but logging into one then forces a logout on the other. I want to be able to move between different sites (one for frontend, one for backend) based on a single login. A roundtrip to the CAS server with some sort of authentication token would be fine, so long as the user doesn't have to keep logging in to each one.

Any advice or experience?

[1] https://github.com/philsheard/django-cas-test

must modify
/usr/lib/python3.4/site-packages/mama_cas/forms.py
/usr/lib/python3.4/site-packages/mama_cas/views.py
?
or there is a better way?

I've been hunting for this issue for the better part of a year, but I've finally isolated it.

If gevent is installed, and django-mama-cas is installed and you're using celery, very bizarre things start happening eventually. Most importantly, gevent monkeypatches os.fork. Celery, in the default worker configuration, is dependent on using os.fork, and initially nothing seems out of the ordinary, until, after a few hours, it simply mysteriously freezes and workers stop accepting new jobs. Switching to threaded workers suddenly works.

Initially, I blamed it on myself not understanding celery properly. Finally, I decided to swap it out in favor of django-rq, which I found much less arcane to correctly set up. Django-rq started freezing immediately, because it, likewise, uses os.fork. Switching to SimpleWorker class, which just executes the job immediately, fixes it.

Now, removing gevent, so that django-mama-cas can't load it, immediately gets it all to work again.

I'm not sure what can be done about it, frankly, but I'm suspecting it needs to be used in a more explicit manner than that.

P.S. See spyoungtech/grequests#8 for a related problem caused by using gevent.
P.P.S. No, it is not sufficient to monkey.patch_all(thread=False, select=False, os=False) -- at least, it is not sufficient to get django-rq to work.
P.P.P.S. The problem appears to go away with gevent 1.1rc5, however...

I can't figure out what I'm missing from the (client?) configuration as I get the following error:

NotImplementedError: mama_cas.services.backends.SettingsBackend.service_allowed() not implemented

A working example example would help a lot. Thank you in advance.

Hi,

I've been using django-mama-cas with the django_cas_ng client for some time now. I'm trying to use Single Sign Out, but it does not work because the client expects to receive the sign out request under the logoutRequest parameter, and django-mama-cas is not doing that.

Can you please see the reasoning in the django_cas_ng issue below and tell me if it is ok to modify django-mama-cas in this regard?

django-cas-ng/django-cas-ng#82

Thanks in advance!

Currently, the jenkins CAS plugin doesn't work with mama-cas when in SAML 1.1 mode (CAS 2.0 on the other hand works fine). Jenkins plugin bug ticket: https://issues.jenkins-ci.org/browse/JENKINS-28568

The jenkins plugin appears to be using this TARGET parameter (visible as GET parameter) for the /login endpoint. However, according to https://github.com/Jasig/cas/blob/master/cas-server-documentation/protocol/CAS-Protocol-Specification.md in section 2.1.1, the /login endpoint only knows the "service" parameter, but not explicitly the TARGET parameter.

The SAML 1.1 specification section 4.1.1.3 (https://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf) specifies such a generic TARGET parameter for any sort of SAML request. The plugin developer also tells us that (unlike mama-cas) the Jasig/Apereo CAS server interprets this parameter the same way as the "service" one.

Either mama-cas or the jenkins plugin seem to be not fully operating to the specs, although I certainly cannot tell with my limited knowledge. Therefore it would be nice if you could figure out which side needs to fix things so this can finally be resolved in whatever way is the best.

I test the django-mama-cas and django-cas-ng with my develop env, I found it all goes well.
But I run it with test env, with mama-cas with url sso.com and cas-ng with url b.com
When I logout , logout 504 Gateway Time-out happens a lot.
ususlly calls the sso server cause the time-out error.
Does it have some design faultiness?

Hi! As you can see in README. Current build status is FAILED.
It will be better to fix it.

Hello,
I do not see anything about ProxyGrantingTicket in https://django-mama-cas.readthedocs.org/en/latest/settings.html. Does that means that any services of MAMA_CAS_VALID_SERVICES that vavidates

        1. The URL scheme must be HTTPS
        2. The SSL certificate must be valid and its name must match that
           of the service
        3. The callback URL must respond with a 200 or 3xx response code

can retrieve a PGT ticket ?

This would mean that letting mama-cas open is a major security leak as anyone would then be able to fetch a PGT to emit ProxyTicket.

If pgturl are not validated agains MAMA_CAS_VALID_SERVICES (I do not see pgturl checked against is_valid_service_url but I can have missed it) that means anyone can always retrieve a PGT.

Hi, out of curiosity, why don't you redirect to LOGIN_REDIRECT_URL here:
https://github.com/jbittel/django-mama-cas/blob/master/mama_cas/views.py#L90

I'm going to wrap LoginView just to do that, so logged in users get to the correct landing page.

I chosed the mama_cas as a cas server, and i want to do some additional actions using oauth when a login request was passed to the cas server, like so:

STEP 1. A login request from cas client to cas server(mama_cas)
STEP 2. An OAuth request from mama_cas to some other site, to get the protected userinfo
STEP 3. mama_cas response the attributes from the User model and the protected userinfo as s whole, response to the cas client.

the question is: Can I did this without changing the source code of mama_cas?

Thx everyone!

I am using django-mama-cas (2.4.0) and django-cas-ng (3.5.10) to manage user authorisation (single sign on, single log off, group membership) across a few django (1.11) projects. I am able to apply user attributes (first_name, last_name, email address) from the cas server to the cas-ng clients using the callback 'mama_cas.callbacks.user_name_attributes' in mama-cas and setting CAS_APPLY_ATTRIBUTES_TO_USER = True on my cas-ng clients.

On my mama-cas server, I also add the user to a number of groups (snippet below) which I want to then apply to the users on the cas-ng clients.

group = Group.objects.get(name=groupname)
user.groups.add(group)

However, when I try using the callback 'mama_cas.callbacks.user_model_attributes' in mama-cas none of the group memberships are applied to my clients (I check this via the admin interface and via the django shell).

Is applying group membership from mama-cas to cas-ng possible or am I doing something wrong? If it's not possible my next best idea was to create some boolean custom user attributes, i.e. user.is_member_groupA etc but would welcome advice.

Thanks in advance!

(This is a cross-post from https://stackoverflow.com/questions/52840298/is-it-possible-to-apply-group-membership-when-authenticating-a-user-with-django - I am not sure what the etiquette is but I can copy answers across etc)

Update 1:
From the callbacks.py I see that only fields within user._meta_fields are added to the dict of attributes returned and that user.groups etc are not included here. From this I presume that group memberships are not intended to be applied from mama-cas to cas-ng as I am trying?

I've been asked to check out mama CAS for a particular use-case.

Could we have two different mama-cas applications running, each talking to their own database, and then have those databases replicating between each other?

Is REST authentication supported or are there any plans to support it?

https://apereo.github.io/cas/5.1.x/installation/Rest-Authentication.html

I wish to know how to call the callbacks.py's funcs.

Now I use django-mama-cas as the CAS server, and django-cas-ng as a clients to login.
I need to add a user access-token to the args to the client.
I can get the token on the server side, how can I get it on the client sites?
Thanks a lot.

I'm using MAMA_CAS and MAMA_CAS_NG, I want to log out from all services when I log out from the primary server.
I have this configuration in a primary server for MAMA_CAS:

MAMA_CAS_SERVICES = [
    {
        'SERVICE': '^https://[^\.]+\.example\.com',
        'LOGOUT_ALLOW': True,
        'LOGOUT_URL': 'https://www.example.com/logout',
    }
]

when I go to /logout in primary server, it automatically sends a post to service URL configured in LOGOUT_URL, but it goes with POST request (in this line: https://github.com/jbittel/django-mama-cas/blob/master/mama_cas/models.py#L255), and MAMA_CAS_NG expects a GET request. Then it throws me Method Not Allowed (POST): /logout/.
The logout from service is working ok, it allows log out from all sites.

The ValidationResponse should handle list attributes.

https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html#257-example-response-with-custom-attributes

{
  "serviceResponse" : {
    "authenticationSuccess" : {
      "user" : "username",
      "proxyGrantingTicket" : "PGTIOU-84678-8a9d...",
      "proxies" : [ "https://proxy1/pgtUrl", "https://proxy2/pgtUrl" ],
      "attributes" : {
        "firstName" : "John",
       "affiliation" : [ "staff", "faculty" ]
        "title" : "Mr.",
        "email" : "[email protected]:[email protected]",
        "lastname" : "Doe"
      }
    }
  }
}

  <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
    <cas:authenticationSuccess>
      <cas:user>username</cas:user>
      <cas:attributes>
        <cas:firstname>John</cas:firstname>
        <cas:lastname>Doe</cas:lastname>
        <cas:title>Mr.</cas:title>
        <cas:email>[email protected]</cas:email>
        <cas:affiliation>staff</cas:affiliation>
        <cas:affiliation>faculty</cas:affiliation>
      </cas:attributes>
      <cas:proxyGrantingTicket>PGTIOU-84678-8a9d...</cas:proxyGrantingTicket>
    </cas:authenticationSuccess>
  </cas:serviceResponse>

"affiliation" : [ "staff", "faculty" ]
Should translate to

<cas:affiliation>staff</cas:affiliation>
<cas:affiliation>faculty</cas:affiliation>

Right now, a network failure during remote logout (as part of SLO) will be silently ignored by mama_cas. It seems crucial that a logout failure is raised or at least returned so that the user can take appropriate action, like retry or refuse to logout.

Specifically, ServiceTicket.request_sign_out will blindly session.post without looking at the response.

This should probably raise on at least some very severe network errors, like timeouts or internal server errors.

I'm not sure how this plays with the requests-futures support, but it seems like mama_cas should at least expose a way to do this if you really want to.

Hi, just upgraded to django 1.9 and got this:

$ ./src/manage.py test
Traceback (most recent call last):
  File "./src/manage.py", line 20, in <module>
    execute_from_command_line(sys.argv)
  File "/xxx/venv/lib/python2.7/site-packages/django/core/management/__init__.py", line 350, in execute_from_command_line
    utility.execute()
  File "/xxx/venv/lib/python2.7/site-packages/django/core/management/__init__.py", line 324, in execute
    django.setup()
  File "/xxx/venv/lib/python2.7/site-packages/django/__init__.py", line 18, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/xxx/venv/lib/python2.7/site-packages/django/apps/registry.py", line 108, in populate
    app_config.import_models(all_models)
  File "/xxx/venv/lib/python2.7/site-packages/django/apps/config.py", line 202, in import_models
    self.models_module = import_module(models_module_name)
  File "/usr/local/Cellar/python/2.7.10_2/Frameworks/Python.framework/Versions/2.7/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/xxx/venv/lib/python2.7/site-packages/mama_cas/models.py", line 14, in <module>
    from django.utils.http import same_origin
ImportError: cannot import name same_origin

Right now, single logout will assemble a list of recent ServiceTickets for the current user which it then invalidates one-by-one. It uses the extremely basic check to only look at tickets created for the user since last login:

This logic breaks as soon as the user signs in from two devices or browsers. When signing in to the second device, the user irreversibly overwrites their last login timestamp. Even if the session based on the first ticket signs out it will only invalidate the second ticket, because the first one was issued before the last login.

This seems like really bad behaviour from mama_cas, as it's quite to likely to miss tickets to invalidate, making the logout process unreliable.

In our application we have adjusted the signout logic as follows:

• We use a maximum session lifetime of a few hours for all service sessions created by tickets
• When logging out, we search for all the tickets:
  • that belong to the user signing out
  • that were issued within the (largest) maximum session lifetime

This ensures that all "child" sessions for this user have either been captured because they were from within the last few hours, or we are sure they have expired at the service because their lifetime is limited.

What I miss with the current implementation is that valid services have to be defined in the settings file. Would an option to store services in the database so that they can be reconfigured more easily violate the design of the app? I can do the modifications, but I would like to know in advance if the idea is conceptually acceptable.

We should create a new release and push it to pypi.

#62

mama_cas\response.py line 68
user.text = ticket.user.username

I have custom my User Model in my project. It is just have email and password.
user.text = ticket.user.get_username() can work.

redirect wrongly to http://_/wordpress/wp-login.php?ticket=ST-1456887194-RyQX9S4dbYMErdC8kDlVopjUS6Ox843G&external=cas

Try to start default django2 project with mama-cas and minimal settings.

File ".../python3.6/site-packages/mama_cas/models.py", line 32, in <module>
from mama_cas.utils import add_query_params
File ".../python3.6/site-packages/mama_cas/utils.py", line 5, in <module>
from django.core import urlresolvers
ImportError: cannot import name 'urlresolvers'

Need to change imports

# from django.core import urlresolvers
from django import urls as urlresolvers

When running under Django 1.9 beta:

  File "/path/to/...lib/python3.5/site-packages/mama_cas/models.py", line 14, in <module>
    from django.utils.http import same_origin
ImportError: cannot import name 'same_origin'

Thanks.

I'm looking at ways to restrict access to certain services to certain users. For example User A can be logged into service http://servicea.com but not http://serviceb.com.

I can't see anyone else implementing this in their forks. So want to give it a go myself.

I have some questions around the design of this feature with mama-cas. From where I see it there are three options. All options require the creation of a service model and custom user permissions:

1. Pass authorization information in CAS attributes and then allow the client to control access at their end. Use the current MAMA_CAS_ATTRIBUTE_CALLBACKS to create a callback which provides a list of authorized services within the attributes.
2. Amend LoginView around line 81. (https://github.com/jbittel/django-mama-cas/blob/master/mama_cas/views.py#L81 ) To do a look up against the service model to check if the user has permissions to access that service. If no permission act as invalid service.
3. Amend LoginView to call an optional callback specified by a setting that can check authorization. Something like MAMA_CAS_AUTHORIZATION_CALLBACK. This could then be passed the user and the service and return a boolean.

I'm not sure which one matches the CAS/mama-cas philosophy. Be great to get some input before I went off down one root in my own fork.

Thanks

I'm attempting to cause the logout (mycasserver.com/cas/logout) to force sessions to be cleared using the clear_sessions function so that all domains will be logged out of (I created a gateway to log into the other domains automatically if one is logged into).

The new logout function in views.py is:

ProxyGrantingTicket.objects.filter(session_key=request.session.session_key).delete()
SessionTicket.objects.filter(session_key=request.session.session_key).delete()
next_page = next_page or get_redirect_url(request)
clean_sessions(get_cas_client(request=request), request)

where I added the clean_sessions line below the default (original) lines you see above it.

Hi,
Is it working with Facebook authenfication ? I am using Django-allauth as authentication backend.

Thanx

It seems that the login has to be redirected to the login page? (I use mama-cas-ng), is there a way to login with REST API and use a token from different apps?

Hi folks,

I m trying to implement SSO functionality for my huge application.
i m using django-cas-ng and django-mama-cas on my sso-agent and sso-server respectively.

now, my application does not use the default Auth-User Table for verification.
We have separate app with the separate User Table.

I want to know how to customize in a way that default authentication User table does not get used.
Instead I want to use a different function.
Also, i M not using any AUTHENTICATION BACKEND . (and i m not planning to use one).
By default mama-cas uses its default AUTHENTICATION BACKEND.
Also I went through the Mama-cas code. It uses LoginForm.
So I dont want to use that also.

Kindly help me out.

Custom username (attributes callback) is not working.

code：

 def request_sign_out(self, session=requests):
        """
        Send a POST request to the ``ServiceTicket``s logout URL to
        request sign-out.
        """
        if logout_allowed(self.service):
            request = SingleSignOutRequest(context={'ticket': self})
            url = get_logout_url(self.service) or self.service
            session.post(url, data={'logoutRequest': request.render_content()})
            logger.info("Single sign-out request sent to %s" % `url)```

I configured MAMA_CAS_ENABLE_SINGLE_SIGN_OUT=True in settings.py
and:

MAMA_CAS_SERVICES = [
    {        
        'SERVICE': 'http://127.0.0.1:8000/',
        'CALLBACKS': [
            'mama_cas.callbacks.user_model_attributes',
        ],
        'LOGOUT_ALLOW': True,
        'LOGOUT_URL': 'http://127.0.0.1:30000/logout',
    },
]

Thank you very much for your answer.

When using built-in Django authentication backend ModelBackend, a user with is_active=False, will not be able to authenticate, and the backend will return None. In mama_cas.forms.LoginForm the validation error to report an inactive user is never reached since the user will be None. That is, when a user is inactive, the error on the login page is 'The username or password is not correct'.

Hello, when the session is closed due to the SESSION_COOKIE_AGE expiring, the server which uses django-mama-cas closes correctly but the tickets are not being consumed so the microapps are not being logged out as they normally do when the logout view is called by the user. Is there an estimated time for merging this feature?

Hi @jbittel,

I wonder if you could help me, I'm implementing single sign-on using the CAS protocol, and and am using your package for the server component (great work by the way)..

There doesnt seem to be much out there for the client component, (im working on a django project) after trying the two offerings i found i went with django-cas, and to get it working with my version of django i forked it.. I may put in a Pull request upstream if i get it all working...

https://github.com/farridav/django-cas

Anyway, the issue I'm having is I cant seem to finish auth properly because of a race condition and a mismatched pgt:-

• I go to a page on my application that is restricted
• django-cas redirects me to mama-cas (n.b - I have supplied a pgtUrl for callback)
• I login
• mama-cas asynchronously sends my pgtIou and pgtId back to my callback
  • from -> to
• mama-cas redirects me back with a ticket
• django-cas looks for the pgtIou in the database (made asynchronously earlier)..

  • https://github.com/farridav/django-cas/blob/master/django_cas/backends.py#L76
    ... And it fails because it can't find it... yet if I change

    pgtIou = PgtIOU.objects.get(pgtIou=pgtIouId)

    to

    import time
    time.sleep(5)
    pgtIou = PgtIOU.objects.get(tgt=pgtIouId)
    

    Then django-cas successfully authenticates that ticket against the mama-cas server

Identified problems

• mama-cas is returning a PGT-XXXX... into pgtIouId here as opposed to a PGTIOU-XXXXX ticket, as described in https://github.com/jbittel/django-mama-cas/blob/master/mama_cas/response.py#L40
• the above race condition

It may be that something needs changing/updating on django-cas, or the way I have implemented both components, or maybe I should put in a pull request to make mama-cas wait for the
response to the callback before redirecting back to the login? thoughts..?

This is the asynchronous mama-cas request I'm referring to

If I've misunderstood the protocol, the project, or if anything jumps out at you, please let me know, the whole client-side of CAS, and the protocol as a whole seems to have very little documentation, and that that it does have appears out of date :(.

Thanks in advance

@farridav

Currently the login template is hardcoded into the LoginView class.

Were I to submit a PR for this, would it be reviewed?

I am trying to set up a mock with django-mama-cas + django-cas-ng under Python 3.6 and Django 2.0. Unfortunately, it appears django-mama-cas is not compatible with Django 2.0. Trying to run manage.py migrate yields:

$ ./manage.py migrate
Traceback (most recent call last):
  File "./manage.py", line 15, in <module>
    execute_from_command_line(sys.argv)
  File "/home/godlike/virtualenv/36/lib/python3.6/site-packages/django/core/management/__init__.py", line 371, in execute_from_command_line
    utility.execute()
  File "/home/godlike/virtualenv/36/lib/python3.6/site-packages/django/core/management/__init__.py", line 347, in execute
    django.setup()
  File "/home/godlike/virtualenv/36/lib/python3.6/site-packages/django/__init__.py", line 24, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/home/godlike/virtualenv/36/lib/python3.6/site-packages/django/apps/registry.py", line 112, in populate
    app_config.import_models()
  File "/home/godlike/virtualenv/36/lib/python3.6/site-packages/django/apps/config.py", line 198, in import_models
    self.models_module = import_module(models_module_name)
  File "/home/godlike/virtualenv/36/lib64/python3.6/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 994, in _gcd_import
  File "<frozen importlib._bootstrap>", line 971, in _find_and_load
  File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 678, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/home/godlike/virtualenv/36/lib/python3.6/site-packages/mama_cas/models.py", line 32, in <module>
    from mama_cas.utils import add_query_params
  File "/home/godlike/virtualenv/36/lib/python3.6/site-packages/mama_cas/utils.py", line 5, in <module>
    from django.core import urlresolvers
ImportError: cannot import name 'urlresolvers'

The following section of the documentation contains links to a third-party detailing the protocol:

http://django-mama-cas.readthedocs.io/en/latest/protocol.html

However, none of these appear to work. Additionally, there's no link to the CAS 3.0 protocol, so it would be nice if that could be added.

I encountered this error "child watchers are only available on the default loop" yesterday, after debugging i found it was caused by gevent subprocess patch. After reading django-mama-cas, i found this piece code:

if gevent:
    from gevent.pool import Pool
    from gevent import monkey
    monkey.patch_all(thread=False, select=False)

This piece patches subprocess module by default and i found this

On POSIX platforms, this module is not usable from native threads other than the main thread; attempting to do so will raise a TypeError.

at http://www.gevent.org/gevent.subprocess.html.

I think if django-mama-cas only gevent socket patch, it might be more safe and wise to use the patches as needed.

Unable to get test suite to pass on my local machine (Django 1.4.x). Could someone else confirm that the test suite is broken—to rule out any local environment issues?

If the test suite is truly broken, adding new features, and maintenance may be problematic.

Thanks.

Have any demo project which is based django-mama-cas to show how to integrate django-mama-cas to actual project?Thx!