How To Use

Admin Panel Guide

Complete walkthrough of the CAS admin dashboard — manage everything from one place.

1. Accessing the Admin Panel

Login with an admin account at:

https://your-cas-server.com/auth/login

After login, admin users are automatically redirected to /admin/dashboard. Regular users go to the user portal instead.

Only users with the admin role can access the admin panel. The role-based redirect happens automatically in the AuthController.

2. Dashboard Overview

The admin dashboard shows key metrics at a glance:

Total Users

Active accounts

Client Systems

Registered apps

Active Tokens

Current sessions

Audit Events

Login activity

Use the sidebar navigation to access different admin modules. Each section provides full CRUD operations.

3. Managing Client Systems

Client systems represent the applications that use CAS for authentication. Navigate to Admin → Client Systems.

Adding a New Client

  1. 1. Click "Add New Client System"
  2. 2. Fill in the application name and base URL
  3. 3. Set the callback URL for SSO redirects
  4. 4. Save — credentials are auto-generated
Credential Purpose Visibility
client_idUnique app identifierAlways visible
client_secretHMAC signing keyShown once only
client_usernameAPI authenticationAlways visible
client_passwordAPI authenticationShown once only

Regenerating Credentials

If credentials are compromised, use the Regenerate Credentials action. This invalidates all existing tokens for that client and generates new credentials. This is logged in the audit trail.

Warning: Regenerating credentials will break all active sessions for that client application. Update the client's .env immediately.

4. User Management

Navigate to Admin → Users to manage all accounts.

Create Users

Add users directly from the admin panel. Set name, email, password, and role assignment.

Edit Profiles

Update user information, reset passwords, enable/disable 2FA, and change role assignments.

Lock / Unlock

Manually lock suspicious accounts or unlock accounts that were auto-locked after 5 failed login attempts.

Client Links

View which client applications each user has authenticated with. Manage user-client associations.

5. Audit Logs

Navigate to Admin → Audit Logs. Every authentication event is recorded:

Event Details Captured
loginUser email, IP, user agent, client system, timestamp
logoutSession duration, client system
failed_loginAttempted email, IP, failure reason
account_lockedUser ID, lock duration, failed attempt count
credentials_regeneratedAdmin user, client system, timestamp

Use the filter and search tools to narrow results by date range, event type, user, or IP address. Logs can be exported for compliance reporting.

6. IP Whitelist

Navigate to Admin → IP Whitelist. Only whitelisted IPs can make API requests to the CAS server.

  1. 1. Click "Add IP Address"
  2. 2. Enter the IP address of your client server
  3. 3. Assign it to a specific client system
  4. 4. Add a description for reference
Tip: For development, whitelist 127.0.0.1 and ::1 (IPv6 localhost). For production, use your server's public IP.

7. Initial Setup Checklist

After deploying CAS for the first time, complete these one-time setup tasks:

1

Change Default Admin Password

The initial admin password should be changed immediately after first login. Go to Profile → Security → Change Password.

2

Enable 2FA for Admin Accounts

Enable Two-Factor Authentication on all admin accounts. Go to Profile → Security → Enable 2FA and scan the QR code with Google Authenticator or Authy.

3

Register Client Systems

Add all applications that will use CAS for authentication. Go to Admin → Client Systems → Add New. Copy the generated credentials and configure each client application.

4

Whitelist Production IPs

Add the IP addresses of all production client servers to the IP whitelist. Go to Admin → IP Whitelist → Add IP Address.

5

Create User Accounts

Add user accounts for everyone who needs access. Go to Admin → Users → Add User. Assign appropriate roles (admin or user).

6

Verify SSO Flow

Test the full login flow: log into CAS, click "Launch Application" for each client system, and verify the SSO redirect works correctly.

8. Routine Monitoring

To ensure the CAS system is healthy and secure, perform these checks regularly:

Daily Checks

  • Review Audit Logs for any failed login spikes
  • Check Dashboard for unusual active token counts
  • Verify all Client Systems show as connected
  • Check for any locked accounts that may need unlocking

Weekly Checks

  • Review Audit Log trends — compare volume with previous weeks
  • Check for unknown IPs in login attempts
  • Verify server disk space and database size
  • Review user accounts for any that should be deactivated

Monthly Maintenance

  • Rotate client secrets for high-security applications
  • Update CAS server — pull latest code, run migrations, clear caches
  • Review IP whitelist — remove any IPs that are no longer needed
  • Test backup restore — verify database backups can be restored
  • Check SSL certificates — ensure renewal is working

9. Warning Signs & Incident Response

What to look for and how to respond to potential security issues.

Red Flags to Watch For

Spike in Failed Login Attempts

Multiple failed logins from the same or different IPs may indicate a brute-force attack or credential stuffing.

Login from Unusual IPs / Locations

If audit logs show logins from IPs not associated with your organization, the account may be compromised.

Abnormal Token Generation Volume

A sudden increase in SSO tokens may indicate automated abuse or compromised client credentials.

Unauthorized Admin Actions

User creation, role changes, or credential regeneration by unknown admin accounts needs immediate investigation.

Incident Response Steps

If you suspect a security breach, follow these steps immediately:

1

Lock Compromised Accounts

Go to Admin → Users and lock any accounts that may be compromised.

2

Regenerate Compromised Credentials

Go to Admin → Client Systems and regenerate credentials for any affected client systems. Update the client application's .env file immediately.

3

Review Audit Logs

In Admin → Audit Logs, filter by the affected time period and user. Identify the scope of unauthorized access.

4

Restrict IP Access

Add/update the IP Whitelist to block suspicious IPs. Remove any unauthorized whitelist entries.

5

Force Password Resets

Reset passwords for all affected users. If the breach is severe, consider resetting all user passwords.

6

Contact the Development Team

Report the incident to the CAS development team at innovativesolution.com.np for further investigation and assistance.