diff --git a/roles/itop/defaults/main.yml b/roles/itop/defaults/main.yml
index 750897b..144fd47 100644
--- a/roles/itop/defaults/main.yml
+++ b/roles/itop/defaults/main.yml
@@ -7,6 +7,10 @@ itop_build: 6483
 itop_archive_url: https://sourceforge.net/projects/itop/files/itop/{{ itop_version }}/iTop-{{ itop_version }}-{{ itop_build }}.zip
 itop_archive_sha1: 8efede1ba82ce49e35e7eee8b652a75533bfef81
 
+itop_php_cas_version: 1.3.8
+itop_php_cas_archive_url: https://github.com/apereo/phpCAS/releases/download/{{ itop_php_cas_version }}/CAS-{{ itop_php_cas_version }}.tgz
+itop_php_cas_archive_sha1: 7e367ae9b20acb2bca01448425450d22e498d142
+
 itop_root_dir: /opt/itop_{{ itop_id }}
 itop_php_user: php-itop_{{ itop_id }}
 itop_php_version: 74
diff --git a/roles/itop/tasks/install.yml b/roles/itop/tasks/install.yml
index 34fb792..bea964e 100644
--- a/roles/itop/tasks/install.yml
+++ b/roles/itop/tasks/install.yml
@@ -56,12 +56,27 @@
         recursive: True
       delegate_to: "{{ inventory_hostname }}"
 
-    - name: Install extensions
+    - name: Download php CAS lib
       get_url:
-        url: "{{ itop_extensions[item].url }}"
-        checksum: sha1:{{ itop_extensions[item].sha1 }}
+        url: "{{ itop_php_cas_archive_url }}"
+        checksum: sha1:{{ itop_php_cas_archive_sha1 }}
         dest: "{{ itop_root_dir }}/tmp"
-      loop: "{{ itop_extensions.keys() | list }}"
+
+    - name: Extract php CAS lib
+      unarchive:
+        src: "{{ itop_root_dir }}/tmp/CAS-{{ itop_php_cas_version }}.tgz"
+        dest: "{{ itop_root_dir }}/tmp"
+        remote_src: True
+
+    - name: Install php CAS lib
+      synchronize:
+        src: "{{ itop_root_dir }}/tmp/CAS-{{ itop_php_cas_version }}/{{ item }}"
+        dest: "{{ itop_root_dir }}/web/lib/"
+        recursive: True
+      delegate_to: "{{ inventory_hostname }}"
+      loop:
+        - CAS.php
+        - CAS
 
   tags: itop
 
diff --git a/roles/itop/templates/perms.sh.j2 b/roles/itop/templates/perms.sh.j2
index 9573733..cfc1f02 100644
--- a/roles/itop/templates/perms.sh.j2
+++ b/roles/itop/templates/perms.sh.j2
@@ -14,5 +14,7 @@ find {{ itop_root_dir }}/web/{{ dir }} -type f -exec chown root:{{ itop_php_user
 {% else %}
 find {{ itop_root_dir }}/web/{{ dir }} -type d -exec chmod 750 "{}" \;
 find {{ itop_root_dir }}/web/{{ dir }} -type f -exec chmod 640 "{}" \;
+setfacl -R -m u:{{ httpd_user | default('apache') }}:rX,d:u:{{ httpd_user | default('apache') }}:rX {{ itop_root_dir }}/web/{{ dir }}
 {% endif %}
 {% endfor %}
+find {{ itop_root_dir }}/web/ -type f -name .htaccess -exec chown root:root "{}" \; -exec chmod 644 "{}" \;