CAS Page Protection

CAS Page Protection

Some departmental pages can be visible only to people with a valid Mississippi State University identity—not to the general public. On ITS Drupal sites, individual nodes (pages, news items, and similar content) can be protected with CAS (Central Authentication Service) so visitors must log in with a university NetID before the page loads.

This guide explains what CAS-protected pages are, when to request them, and what to expect as an editor. Editors cannot turn CAS protection on or off or change who is allowed to view a protected page. Your site administrator configures CAS settings. Contact them (or the IT Service Desk) when you need a page restricted or when access should change.

What CAS authentication does

CAS is the university’s single sign-on system. When someone opens a CAS-protected page without an active session, Drupal redirects them to the MSU CAS login screen (NetID and NetPassword), then through Duo two-factor authentication when required. After a successful login, they return to the page they requested.

Behind the scenes, Drupal uses a CAS module to communicate with the CAS server and validate login tickets. ITS and your site administrator may further limit who can view a protected node—for example, all authenticated MSU users or a narrower group such as employees only.

CAS protection is not the same as editor login

Editors use CAS when they log in at /user/login to reach the Admin Toolbar and edit content. That workflow is documented in Logging In.

CAS-protected pages apply to visitors reading published content, including students and employees who are not site editors. A colleague can view an internal handbook page after CAS login even if they have never been granted an editor role on your subdomain.

How CAS protection differs from Published and Unpublished

Every node is either Published or Unpublished. See Publishing and Unpublishing.

  • Unpublished: Hidden from everyone on the public site, including authenticated MSU users. Editors with permission can still open the node in the administrative interface.

  • Published, not CAS-protected: Open to the public (subject to normal site permissions).

  • Published with CAS protection: The page is live at its URL, but anonymous visitors are sent to CAS before content is shown. Only visitors who meet the audience your site administrator configured (for example, any authenticated MSU user or employees only) can read the page.

Use Unpublished while you are drafting or waiting for approval. Request CAS protection from your site administrator when the content is ready to share with a campus audience but must not be open to the world.

When to request CAS protection

CAS protection is appropriate for material that is not public-facing but is still suitable for a defined university audience, such as:

  • Internal policies, procedures, or forms meant for staff

  • Departmental resources for current employees

  • Committee or working-group documents for authenticated campus users

Do not treat CAS protection as sufficient for highly sensitive data. If content is restricted by law, contract, or institutional policy, confirm requirements with your unit’s leadership and ITS before publishing—even behind CAS.

Audience levels (configured by your site administrator)

When your site administrator enables CAS on a node, they set who may view the page after login. Common options include:

  • All authenticated MSU users: Anyone who successfully logs in with a valid university NetID (and Duo, when prompted).

  • Employees only (or similar restricted groups): Only visitors whose university identity matches the allowed subgroup—for example, current employees. Others may complete CAS login but still be denied access to that page.

Tell your site administrator which audience fits your content when you submit a request. They apply the correct setting; it is not available on the standard editor form.

How to request CAS protection

Because editors cannot modify CAS settings, use this workflow:

  1. Finish the page content and save the node. Use Unpublished until the page is ready if it should not be public yet.

  2. Contact your site administrator (or submit an IT Service Desk ticket if that is how your unit operates).

  3. Include the page title, URL (or Node ID), content type, and the audience you need (for example, all MSU authenticated users or employees only).

  4. State whether the page should remain Published once CAS is enabled (CAS protection is normally used on published pages intended for a campus audience).

After configuration, test in a private browser window (or while logged out as an editor) to confirm anonymous visitors are prompted for CAS and that colleagues in the intended audience can read the page.

To remove CAS protection or change the audience, contact your site administrator again. Do not rely on unpublishing alone if the goal is to change who can view a live page—ask for the CAS settings to be updated or removed.

What visitors experience

  1. A visitor opens the page URL (from a menu, email, or bookmark).

  2. Drupal detects that the node requires CAS and redirects to the MSU CAS login screen.

  3. The visitor enters NetID and NetPassword and completes Duo if prompted.

  4. If the visitor’s identity matches the configured audience, Drupal displays the page. If not, they may see an access denied message even though CAS login succeeded.

Visitors do not need the Admin Toolbar or editor permissions—only a valid university login that matches the access level your administrator configured.

Menus, links, and automated lists

Navigation and internal links

CAS-protected pages can appear in menus and be linked from other content. Visitors who are not logged in will be prompted for CAS when they follow the link. Use clear link text (for example, “Staff handbook (MSU login required)”). See Linking.

Views and directories

Automated lists (Views) usually show only published content. A CAS-protected item may still appear in a list depending on site configuration; clicking through typically triggers CAS. If protected content should not appear in public listings, say so when you request CAS protection. See Views.

Search engines

CAS-protected pages are intended for authenticated audiences, not anonymous indexing. They are less likely to appear in public search results than fully open pages, but do not rely on CAS alone for confidentiality. For urgent removal of sensitive material from search results, see Deleting.

Best practices for editors

  • Request the narrowest audience that fits: Ask for employees only (or a similarly restricted option) when content is not meant for all students and affiliates.

  • Keep public and internal content separate: Prefer a dedicated internal page with CAS protection rather than mixing campus-only material into an otherwise public page.

  • Review access when projects end: Ask your administrator to remove CAS protection, or unpublish the page, when internal content is no longer needed.

  • Do not expect CAS fields on the edit form: Configuration is administrative. If a page behaves unexpectedly, report it to your site administrator rather than changing unrelated publish settings.

Getting help

Contact your site administrator or the IT Service Desk to:

  • Enable or remove CAS protection on a specific node

  • Change the allowed audience (for example, from all MSU users to employees only)

  • Troubleshoot CAS redirect loops or “access denied” after a successful login

Include the page URL, content type, and the audience you need.

Related guides: Logging In, Publishing and Unpublishing, and Nodes.