-
8/3/2019 Central Authentication Service (CAS)
1/18
Central Authentication
Service (CAS)
-
8/3/2019 Central Authentication Service (CAS)
2/18
What is CAS?
JA-SIG Central Authentication Service is anenterprise level,
open-source, single sign on
solution with a Java server component andvarious client
libraries written in a multitude oflanguages including PHP, PL/SQL,
Java, andmore.
CAS is a http based protocol that requires eachof its components
to be accessed throughdifferent URIs.
-
8/3/2019 Central Authentication Service (CAS)
3/18
-
8/3/2019 Central Authentication Service (CAS)
4/18
List of URIs to access CAS. /login
Parameters: service, renew, gateway, warn
/logout Parameters: url
/validate Parameters: service, ticket, renew
/serviceValidate Parameters: service, ticket, pgtUrl, renew
/proxy Parameters: pgt, targetService
/proxyValidate Parameters: service, ticket, pgtUrl, renew
-
8/3/2019 Central Authentication Service (CAS)
5/18
Tickets generated by CAS Ticket-granting Ticket
Service Ticket
Proxy Ticket
Proxy-granting Ticket
Proxy-granting Ticket IOU Login Ticket
-
8/3/2019 Central Authentication Service (CAS)
6/18
Ticket-granting Ticket Ticket granting ticket will be generated
when the /login
url is passed to CAS server and the credentials providedare
successfully authenticated.
A TGT is the main access into the CAS service layer.
TGT is an opaque string that contains secure randomdata and must
begin with TGT-.
TGT will be added to an HTTP cookie upon the
establishment of single sign-on and will be checkedfurther when
different applications are accessed
-
8/3/2019 Central Authentication Service (CAS)
7/18
Service Ticket The service ticket (ST) will be generated
when the CAS url contains service
parameter and the credentials passed aresuccessfully
authenticated.
Service ticket is an opaque string that isused by client as a
credential to obtainaccess to a service.
Service ticket must begin with ST-
-
8/3/2019 Central Authentication Service (CAS)
8/18
Proxy Ticket In CAS, proxy is a service that wants to access
other
services on behalf of a particular user.
Proxy tickets (PT) are generated from CAS upon aservices
presentation of a valid Proxy granting Ticket(PGT), and a service
identifier for the back-end serviceto which it is connecting.
PT are only valid for the service identifier specified to
/proxy url when they were generated. Proxy tickets should begin
with the characters, PT-.
-
8/3/2019 Central Authentication Service (CAS)
9/18
Proxy-granting Ticket Proxy-granting tickets are obtained from
CAS upon
validation of a service ticket or a proxy ticket. If a
servicewishes to proxy a client's authentication to a back-end
service, it must acquire a proxy-granting ticket. Acquisition of
this ticket is handled through a proxy
callback URL. This URL will uniquely and securelyidentify the
back-end service that is proxying the client'sauthentication.
The back-end service can then decide whether or not toaccept the
credentials based on the back-end service'sidentifying callback
URL.
-
8/3/2019 Central Authentication Service (CAS)
10/18
Proxy-granting Ticket IOUA proxy-granting ticket IOU is an
opaque
string that is placed in the response
provided by /serviceValidate or/proxyValidate used to correlate
a serviceticket or proxy ticket validation with aparticular
proxy-granting ticket.
Proxy-granting ticket IOUs SHOULD beginwith the characters,
"PGTIOU-".
-
8/3/2019 Central Authentication Service (CAS)
11/18
Login TicketA login ticket is a string that is generated
by /login as a credential requestor and
passed to /login as a credential acceptorfor username/password
authentication.
Its purpose is to prevent the replaying ofcredentials due to
bugs in web browsers.
Login tickets SHOULD begin with thecharacters, "LT-".
-
8/3/2019 Central Authentication Service (CAS)
12/18
CAS Architecture
-
8/3/2019 Central Authentication Service (CAS)
13/18
URIs to access admin features /services/manage.html
/services/add.html
/services/edit.html
/services/logout.html
/services/deleteRegisteredService.html
-
8/3/2019 Central Authentication Service (CAS)
14/18
Conventions used in next slides.
TGT Ticket Granting Ticket
ST Service ticket
PGT Proxy granting ticket
PGTIOU Proxy granting ticket IOU (I Owe U) Action boxes colored
in red The action mentioned in these boxes will
happen at CAS client and has to be coded by developer in
thefilter/servlet/jsp.
Action box colored in sea blue this action is explained in
detail in anotherslide.
Rectangular box with URI mentioned before InitialState The URI
that needto be called for the actions in the activity diagram to
happen
-
8/3/2019 Central Authentication Service (CAS)
15/18
-
8/3/2019 Central Authentication Service (CAS)
16/18
-
8/3/2019 Central Authentication Service (CAS)
17/18
-
8/3/2019 Central Authentication Service (CAS)
18/18
![[PPT]PowerPoint Presentation - CAS – Central Authentication …my.fit.edu/~dkirk/4261/Lectures/Axial Compressors.ppt · Web viewPW2000 Fan Compressor * 2 SPOOL DEVICE: PW2000 High](https://img.pdfslide.us/doc/110x75/5aafc5167f8b9a5d0a8de2c9/pptpowerpoint-presentation-cas-central-authentication-myfitedudkirk4261lecturesaxial.jpg)
![[PPT]General Application - CAS – Central Authentication Servicemy.fit.edu/~kostanic/Wirelesss Data Communication... · Web viewFrequency hopping Frequency plan is critical for GSM](https://img.pdfslide.us/doc/110x75/5ac18b157f8b9a357e8ccc78/pptgeneral-application-cas-central-authentication-kostanicwirelesss-data.jpg)
![[PPT]Solar Basics - CAS – Central Authentication Servicemy.fit.edu/.../ClassPPT/SolarElectricSystemDesign.ppt · Web viewSolar Estimate from FSEC in Cocoa FL The “Sunshine State”](https://img.pdfslide.us/doc/110x75/5ad36fab7f8b9a72118e5bda/pptsolar-basics-cas-central-authentication-viewsolar-estimate-from-fsec.jpg)
