Central Authentication Service

Central Authentication Service (CAS) is a federated identity management system originally developed by Yale University . In the meantime, CAS is a project of the JA-SIG / Apereo consortium , which aims to network universities and other higher education institutes in order to guarantee a free exchange of knowledge and technologies. The functionality of CAS is basically comparable to Shibboleth , only in the implementation there are certain differences.

technology

A Central Authenticate Server is required for an identity management solution with CAS. This Central Authenticate Server is in principle a web application that takes over the registration and authentication procedure. Three URLs are required, with which the registration and authentication procedure is handled by an encrypted HTTP connection ( HTTPS connection) to the Central Authentication Server.

Process of a user login

Login url: When logging on to the desired web service, the user's browser, including a service URL that uniquely identifies the CAS Client Web Service, is automatically forwarded to the login URL of the Central Authenticate Server. This is where the actual authentication takes place by requesting and checking the username and password . If this authentication was successful, the CAS server redirects to the specified service URL and appends a ticket parameter. The ticket value is a unique login token for the logged in user.

Validation URL: The CAS Client Web Service validates the ticket received and the service URL via the CAS Server Validation URL. The Central Authenticate Server checks whether the ticket received is already in its database. In order to successfully complete the validation, the server must confirm to the web service that the ticket is already available, and access to the web service is then released. As a response (HTTP response), the CAS server sends a response document (CAS XML or SAML XML) back to the CAS client application. The response document contains at least the user name of the logged in user if validation is successful.

Logout URL: When the CAS server logout URL is accessed, the CAS server uses the transferred CAS TGT cookie to check whether the user is logged in and invalidates the CAS TGT ticket and the cookie. If the CAS server and the connected CAS client applications (web services) support the optional single sign-out protocol, a user with this access is automatically logged off from all CAS client web services visited.

CAS server implementations

The CAS protocol is an open protocol for which the following CAS server implementations are known:

JASIG CAS Server reference implementation
RubyCAS
CASino

Web links

JA-SIG Central Authentication Service

Individual evidence

↑ Jasig CAS ( Memento of the original from September 10, 2014 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2
↑ CAS Protocol Specification 3.0
↑ Apereo Jasig CAS Server reference implementation
^ Ruby CAS Server
↑ CASino

[1] Jasig CAS ( Memento of the original from September 10, 2014 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

[2] CAS Protocol Specification 3.0

[3] Apereo Jasig CAS Server reference implementation

[4] Ruby CAS Server

[5] CASino