Oregon State University

ONID - OSU Network ID

CAS (Central Authentication Service) Information

What is CAS?

CAS (Central Authentication Service) is a secure enterprise authentication system and single sign-on (SSO) service. It was originally written by Yale University and later became a Jasig project. CAS is a well-supported industry standard for authentication, and a library of CAS clients are available for Java, .Net, PHP, Perl, Apache, uPortal, and others.


Why use CAS?

  • To facilitate single sign-on across multiple web applications and core services that aren't necessarily web-based but have a web front end.
  • To allow untrusted services offered by organizations other than OSU IS (as well as, of course, trusted services) to authenticate users without having access to their passwords.
  • To localize actual ("primary") authentication to a single web application, which makes it easier for users to safeguard their passwords and which lets OSU change authentication logic if necessary without having to change numerous applications.

How does CAS work?

Basic steps:

  1. A user comes to your web site.
  2. Your web application redirects the client web browser to the CAS login web page.
  3. The user enters their username and password to login.
  4. If they are successfully authenticated, CAS redirects the browser back to your web application and includes a Service ticket.
  5. Your web application validates the Service ticket against the CAS server.
  6. Your web application creates a local session for the user and logs the user in.

Detailed steps:

  1. A user comes to your web site.
  2. Your web application redirects the client web browser to the CAS login web page and includes your URL as a parameter.
    https://login.oregonstate.edu/cas/login?service=http://example.oregonstate.edu/
  3. The user enters their username and password to login.
  4. If they are successfully authenticated, CAS sets a Ticket-granting cookie named CASTGC. The Ticket-granting cookie is only valid for the CAS server (login.oregonstate.edu).
  5. CAS redirects the client web browser back to your application with a Service ticket included.
    http://example.oregonstate.edu/?ticket=ST-1-klasfKF398FLKaa
  6. Your web application gets the Service ticket from the URL and validates it against the CAS server with an HTTP GET request.
    https://login.oregonstate.edu/cas/serviceValidate?ticket=ST-1-klasfKF398FLKaa&service=http://example.oregonstate.edu
  7. If the ticket is invalid, CAS responds:
    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
      <cas:authenticationFailure code="...">
       Optional authentication failure message
      </cas:authenticationFailure>
    </cas:serviceResponse>
  8. If the ticket is valid, CAS responds:
    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
      <cas:authenticationSuccess>
       <cas:user>NetID</cas:user>
      </cas:authenticationSuccess>
    </cas:serviceResponse>
    and immediately removes the ticket so it cannot be used again.
  9. Having successfully authenticated the user, your web application creates its own local session for the user and logs the user in.

Is information about the authenticated user available via CAS?

Yes. Additional attributes can be retrieved by using the SAML 1.1 protocol to validate the Service ticket (/cas/samlValidate). Currently, the following attributes are available:

  • uid - username
  • UDC_IDENTIFIER - Unified Digital Campus ID, a Banner unique ID
  • lastname - last name
  • firstname - first name
  • fullname - full name
  • email - preferred email address
  • osuuid - LDAP attribute 'osuuid', used as a unique key in LDAP
  • osupidm - OSU Banner PIDM

Can I use CAS for my web application?

Some applications support CAS out-of-the box. Other applications will need to include CAS client software. Many common platforms and languages are already provided.


What information is needed to setup CAS?

In order to configure a CAS service for your web application, we will need:

  • Service Name - a short, descriptive name
  • Service URL - for example, http://example.oregonstate.edu/myapp/
  • Description
  • Attributes - a list of attributes to release to your service, if any

Send this request to support@onid.orst.edu.

Please join the OSU CAS Users mailing list. This list will be used for announcements of changes to the CAS service and discussions of CAS issues.


Notes

  • If your application needs more information about the user, you may be able to look up the additional information in the ONID LDAP server.


Enterprise Computing Services, Oregon State University, Corvallis, OR 97331.
Contact us with your comments and questions. - (1 541 737 3474)
Copyright Oregon State University | Disclaimer.