Tuesday, January 24, 2012

Single Sign On with CAS

There are a lot of different solutions in the market to solve this problem under which KErberos, OpenID, OAuth and of course JA-SIG CAS (Central Authentication Service)

The latter is used mainly in University environments, however it can be used in a lot of different environments as there exist integration for Java, PHP, ...

The following picture in my opinion shows best how the transitions between the three actors are defined


It all starts with a request from a user that wants to access a page on an application server (black arrow). As it is not yet known by the application the browser gets redirected to the CAS-server where the App.Server adds its service-id (usually the url of the web application). (red arrows)

this results in an URL like https://www.cas-server.xyz/cas/login?service=http://www.application-server.xyz/webapp

On this site the login screen of the CAS-server is shown and the user has to enter its credentials. The CAS-server generates the Ticket-Granting-Ticket (and a Cookie). The TGT is then sent back to the application (blue arrows).

Using this TGT the application cas contact the CAS-server to obtain a Service Ticket, which contains attributes and ids which are needed to authorise the user within the application (green arrows).

Ususally the ST is valid only for a single request but using the TGT the Application server can create multiple STs as long as the TGT is valid

Once authenticated at the CAS server the step of entering the credentials will be omitted (otherwise it wouldn't be SSO

No comments: