Helping ordinary people create extraordinary websites!
| |
Helping ordinary people create extraordinary websites! |
Build and Implement A Single Sign-On SolutionBy Chris Dunne2004-01-28 
A brief overview of CAS
Note that in the CAS protocol, your application never sees the user's password. The CAS server performs the authentication and only it sees the user's password. This increases overall security since the username and password are not passed across the network to other applications. The following figure demonstrates the authentication flow path of a system that has a CAS server integrated. Figure 1. How the CAS protocol performs authentication 
The following are the main steps in the authentication protocol. 1. The user attempts to access an application using its URL. The user is redirected to the CAS login URL over an HTTPS connection, passing the name of the requested service as a parameter. The user is presented with a username/password dialog box. 2. The user enters ID and password details and CAS attempts to authenticate the user. If authentication fails, the target application never hears about it -- the user remains at the CAS server. 3. If authentication succeeds, then CAS redirects the user back to the target application, appending a parameter called a ticket to the URL. CAS then attempts to create an in-memory cookie called a ticket-granting cookie. This is done to allow for automatic re-authentication later -- if present, then it indicates that the user has already successfully logged in and the user avoids having to re-enter his username and password. 4. The application then validates that this is a correct ticket and represents a valid user by calling the CAS serviceValidate URL by opening an HTTPS connection and passing the ticket and service name as parameters. CAS checks that the supplied ticket is valid and is associated with the requested service. If validation is successful, CAS returns the username to the application. If you are programming to the Servlet 2.3 specification, you don't even have to do any of these steps. A servlet filter handles the entire protocol. All you have to do is to configure the filter parameters in the web.xml file. That's the approach I will take -- it means less changes to the application code in the portal. An in-depth discussion of CAS is not within the scope of this article, so I encourage you to look in Resources for the articles from Yale University to determine if this is an authentication scheme that might suit your own purposes. Tutorial Pages: » Integrate an open source, Java-based authentication component into a Web portal » Why choose single sign-on? » SSO open source projects » A brief overview of CAS » Getting started with CAS » Active Directory Server authentication » Single sign-off » Resources First published by IBM developerWorks
|
 |