This guide gives a brief overview of CAS – Central Authentication Service and also explains the steps to add an CAS Server ( version 1.0-3.0 ) as an Identity source in miniOrange. By doing this, you can achieve SSO between SP applications that need not support CAS necessarily, and the IdP being a CAS Server.
It is a ticket based single sign on protocol that provides users access to web applications after authentication against a central CAS Server.
Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user’s security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.
It was developed by a team at Yale University, which was later a project maintained by JASIG, and after that was merged into Apereo Foundation which now owns and maintains CAS. Apereo Foundations provide a multitude of softwares that are focused for educational institutions and CAS is one among the solutions they offer.
The Apereo CAS server is the most popular one, built on Java Spring framework, and it also has Cross-platform client support (Java, .Net, PHP, Perl, Apache, etc). The Apereo CAS server has 3 versions upto now – CAS 1.0, 2.0 and 3.0, with differentiations majorly being Attributes supported in the CAS response, multi-factor authentication and cross platform support. For more details on CAS, please click here.
Steps to configure CAS as an Identity Source
Here are the steps on how to configure CAS as an Identity source:
1. Click Here to go to your miniOrange dashboard.
2. Log in using your miniOrange credentials.
3. Go to Identity providers from the left hand side menu and click on the Add Identity Provider Button.
4. Navigate to the CAS tab.
5. Enter your CAS Version, Server URL, Service Validate URL and Logout URL.
- The CAS Server URL has to be of the following format: https://www.testcasserver.org/cas
- The CAS Service Validate URL has to be of the following format:
- For CAS version 1 – it is https://www.testcasserver.org/cas/validate
- For CAS versions 2 & 3 – it is https://www.testcasserver.org/cas/serviceValidate
If you have a custom Service Validate URL as mentioned by your CAS provider, please enter the same.
- The CAS Server Logout URL has to be of the following format: https://www.testcasserver.org/cas/logout?service=<redirect_url> – where the <redirect_url> is the URL to which users will be redirected to, after getting logged out from the CAS server.
8. You have now added a CAS Server as an Identity Source with miniOrange. Your users can now authenticate themselves using their CAS credentials to SSO into other applications.
B] CAS SERVER:
1. Configure the source URL of authentication requests in the CAS Server.
2. For redirecting back to your site after logout,
- Configure the “followServiceRedirects” setting in the cas.properties file. The setting should be set to “true”.
- Add the following Logout URL to the CAS Service Registry: https://www.testcasserver.org/cas/logout?service=<redirect_url> , for eg. https://www.testcasserver.org/cas/logout?service=https://google.com.