The CAS Protocol for Application Owners

Overview

The CAS protocol is the procedure which allows an external application to determine that an individual is who they claim to be (authentication). It involves the user, the CAS Server and one or more CAS clients. Clients are embedded in a CASified application, and facilitate proper interaction with the user and the CAS Server.

Key Concepts

CAS Server

The CAS Server is responsible for authenticating the user (asking for their username and password) and granting access to CASified applications.

CAS Clients

CAS clients protect applications, forcing authentication and retrieve the identity of the granted users from the CAS Server.

TGT (Ticket Granting Ticket)

The TGT represents the SSO (Single Sign On) session for a user, and allow authentication without having a user enter their username and password multiple times. The TGT is stored in the CASTGC cookie within the users browser.

ST (Service Ticket)

The Service Ticket is a ticket which only applies to a single CASified application. It is transmitted as a GET parameter in the URLs. It stands for the access granted by the CAS Server to a specific CASified application for a specific user.

Explanation of CAS Authentication

Players

User: Barbara Jenson

Application: example.app.uconn.edu (example.app)

CAS Server: login.uconn.edu

Initial Request

  • Barbara navigates with their browser to example.app.uconn.edu.

  • example.app‘s CAS client does not have a previous session for Barbara, and redirects them to the CAS Server to authenticate with the service name (example.app.uconn.edu) appended as a GET variable in the URL.

Primary Authentication

  • Since Barbara has not logged into any other CASified application yet today, she does not have a TGT and is presented with the CAS login screen.

  • Barbara logs into login.uconn.edu with her NetID and NetID password.

  • Barbara is granted a TGT in the form of a cookie named CASTGC. And redirected back to example.app with a service ticket as a GET variable in the URL.

Service Ticket Validation

  • Barbara’s request reaches example.app. Example.app‘s CAS client validates the Barbara’s ST with the CAS Server.

  • The CAS Server returns an XML document that indicates the validity of the ST, an requested attributes, and Barbara‘s NetID.

  • example.app’s CAS client strips the ST off of the URL and creates a corresponding cookie stored in Barbara‘s browser.

  • Barbara can now use example.app.

CAS Protocol Diagram