Oregon State University

ONID - OSU Network ID

CAS (Central Authentication Service) Information

What is CAS?

CAS (Central Authentication Service) is an enterprise single sign-on (SSO) protocol. It was originally written by Yale University and later became a Jasig project. OSU supports the CAS protocol as part of our Shibboleth IDP deployment. A library of CAS clients are available for Java, .Net, PHP, Perl, Apache, uPortal, and others.


Why use CAS?

  • To facilitate single sign-on across multiple web applications.
  • To allow untrusted services offered by organizations other than OSU IS (as well as, of course, trusted services) to authenticate users without having access to their passwords.
  • To localize actual ("primary") authentication to a single web application, which makes it easier for users to safeguard their passwords and which lets OSU change authentication logic if necessary without having to change numerous applications.

How does CAS work?

Basic steps:

  1. A user comes to your web site.
  2. Your web application redirects the client web browser to the OSU Login web page.
  3. The user enters their username and password to login.
  4. If they are successfully authenticated, OSU Login redirects the browser back to your web application and includes a Service ticket.
  5. Your web application validates the Service ticket against the CAS endpoint.
  6. Your web application creates a local session for the user and logs the user in.

Detailed steps:

  1. A user comes to your web site.
  2. Your web application redirects the client web browser to the OSU Login web page and includes your URL as a parameter.
    https://login.oregonstate.edu/idp/profile/cas/login?service=http://example.oregonstate.edu/
  3. The user enters their username and password to login.
  4. If they are successfully authenticated, OSU Login creates an SSO session.
  5. OSU Login redirects the client web browser back to your application with a Service ticket included.
    http://example.oregonstate.edu/?ticket=ST-1-klasfKF398FLKaa
  6. Your web application gets the Service ticket from the URL and validates it against the CAS serviceValidate endpoint with an HTTP GET request.
    https://login.oregonstate.edu/idp/profile/cas/serviceValidate?ticket=ST-1-klasfKF398FLKaa&service=http://example.oregonstate.edu
  7. If the ticket is invalid, CAS serviceValidate responds:
    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
      <cas:authenticationFailure code="...">
       Optional authentication failure message
      </cas:authenticationFailure>
    </cas:serviceResponse>
  8. If the ticket is valid, CAS serviceValidate responds:
    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
      <cas:authenticationSuccess>
       <cas:user>NetID</cas:user>
      </cas:authenticationSuccess>
    </cas:serviceResponse>
    and immediately removes the ticket so it cannot be used again.
  9. Having successfully authenticated the user, your web application creates its own local session for the user and logs the user in.

Is information about the authenticated user available via CAS?

Yes. Additional attributes can be retrieved by using the serviceValidate or samlValidate endpoints to validate the Service ticket. Currently, the following attributes are available:

  • uid - username
  • UDC_IDENTIFIER - Unified Digital Campus ID, a Banner unique ID
  • lastname - last name
  • firstname - first name
  • fullname - full name
  • email - primary email address
  • osuuid - LDAP attribute 'osuuid', used as a unique key in LDAP
  • osupidm - OSU Banner PIDM
  • eduPersonPrincipalName - a scoped user identifier value "username@oregonstate.edu"
  • eduPersonPrincipalNamePrior - prior values of eduPersonPrincipalName, if it has changed
  • eduPersonPrimaryAffiliation - the user's primary affiliation with OSU
  • eduPersonAffiliation - all of the user's affiliations with OSU
  • osuprimarymail - primary email address
  • commonName - full name
  • surname - last name
  • givenName - first name

Can I use CAS for my web application?

Some applications support CAS out-of-the box. Other applications will need to include CAS client software. Many common platforms and languages are already provided.


What information is needed to setup CAS?

In order to configure a CAS service for your web application, we will need:

  • Service Name - a short, descriptive name
  • Service URL - for example, http://example.oregonstate.edu/myapp/
  • Description
  • Attributes - a list of attributes to release to your service, if any

Send this request to iamteam@oregonstate.edu.

Please join the OSU CAS Users mailing list. This list will be used for announcements of changes to the CAS service and discussions of CAS issues.


Notes

  • If your application needs more information about the user, you may be able to look up the additional information in the ONID LDAP server.


Enterprise Computing Services, Oregon State University, Corvallis, OR 97331.
Contact Support - (1 541 737 8787)
Copyright Oregon State University | Disclaimer.