diff --git a/cmdb-api/api/flask_cas/cas_urls.py b/cmdb-api/api/flask_cas/cas_urls.py
index 34e15d3..4cbba47 100644
--- a/cmdb-api/api/flask_cas/cas_urls.py
+++ b/cmdb-api/api/flask_cas/cas_urls.py
@@ -119,4 +119,4 @@ def create_cas_validate_url(cas_url, cas_route, service, ticket,
         ('service', service),
         ('ticket', ticket),
         ('renew', renew),
-        )
\ No newline at end of file
+        )
diff --git a/cmdb-api/api/flask_cas/routing.py b/cmdb-api/api/flask_cas/routing.py
index affa648..8dcba3c 100644
--- a/cmdb-api/api/flask_cas/routing.py
+++ b/cmdb-api/api/flask_cas/routing.py
@@ -1,4 +1,5 @@
 # -*- coding:utf-8 -*-
+import uuid
 
 import bs4
 from flask import Blueprint
@@ -126,6 +127,19 @@ def validate(ticket):
         current_app.logger.debug("{}: {}".format(cas_username_session_key, username))
         session[cas_username_session_key] = username
         user = UserCache.get(username)
+        if user is None:
+            current_app.logger.info("create user: {}".format(username))
+            from api.lib.perm.acl.user import UserCRUD
+            soup = bs4.BeautifulSoup(response)
+            cas_user_map = current_app.config.get('CAS_USER_MAP')
+
+            user_dict = dict()
+            for k in cas_user_map:
+                v = soup.find(cas_user_map[k]['tag'], cas_user_map[k].get('attrs', {}))
+                user_dict[k] = v and v.text or None
+            user_dict['password'] = uuid.uuid4().hex
+
+            UserCRUD.add(**user_dict)
 
         from api.lib.perm.acl.acl import ACLManager
         user_info = ACLManager.get_user_info(username)
diff --git a/cmdb-api/settings.example.py b/cmdb-api/settings.example.py
index 373e6b7..9e4a1e1 100644
--- a/cmdb-api/settings.example.py
+++ b/cmdb-api/settings.example.py
@@ -70,11 +70,17 @@ ONCE = {
 # # SSO
 CAS_SERVER = "http://sso.xxx.com"
 CAS_VALIDATE_SERVER = "http://sso.xxx.com"
-CAS_LOGIN_ROUTE = "/cas/login"
-CAS_LOGOUT_ROUTE = "/cas/logout"
-CAS_VALIDATE_ROUTE = "/cas/serviceValidate"
+CAS_LOGIN_ROUTE = "/cas/built-in/cas/login"
+CAS_LOGOUT_ROUTE = "/cas/built-in/cas/logout"
+CAS_VALIDATE_ROUTE = "/cas/built-in/cas/serviceValidate"
 CAS_AFTER_LOGIN = "/"
-DEFAULT_SERVICE = "http://127.0.0.1:8000"
+CAS_USER_MAP = {
+    "username": {"tag": "cas:user"},
+    "nickname": {"tag": "cas:attribute", "attrs": {"name": "displayName"}},
+    "email": {"tag": "cas:attribute", "attrs": {"name": "email"}},
+    "mobile": {"tag": "cas:attribute", "attrs": {"name": "phone"}},
+    "avatar": {"tag": "cas:attribute", "attrs": {"name": "avatar"}},
+}
 
 # # ldap
 AUTH_WITH_LDAP = False