Article Discussion Edit this page History

Central Authentication Service

Case has deployed rubycas, an implementation of JA-SIG's Central Authentication Service, or CAS, to allow services to easily authenticate users. The service entered production use on September 6, 2005.

1 Using CAS
2 Frequently Asked Questions
3 Web Sites and Applications Using CAS
4 How CAS Works
5 CAS Implementation Best Practices
- 5.1 Use Caching
- 5.2 Don't Log the User out of CAS
6 Configuring Applications to Use CAS

[edit] Using CAS

Users can log into CAS at https://login.case.edu/cas/. Users can log out of CAS at https://login.case.edu/cas/logout. If a user logs into CAS, he or she can be logged in to any application that participates in the service without again specifying his or her password for a period of up to 8 hours.

[edit] Frequently Asked Questions

[edit] Why do I need to change my password before I can log in?

CAS integrates with the university's password policy requirements. If your password is expired and you attempt to log in, CAS will inform you of such. You will be given a link to change your password.

[edit] Why should I close my browser when I am done?

When you log in to CAS, a cookie is stored in your browser that allows you to be automatically logged in to other sites. This cookie is set to expire at the end of your browser's session. So, when you close your browser, this cookie no longer exists and you can no longer be automatically be logged in to any more sites without specifying your password again.

It is possible to log out of CAS by visiting https://login.case.edu/cas/logout, however, this is not a secure form of logging out! Some sites may still have you recorded as logged in through the use of cookies on those specific sites. Closing your browser is the easiest way to guarantee that the next user of a computer will not be surfing the web under your identity.

[edit] Authentication versus authorization

When you access content, there are two phases you must go through to be allowed to access it: authentication and authorization. Authentication is proving that you are who you say you are. Authorization is determining whether a proven person is authorized to access something. CAS handles authentication. By logging in to CAS, CAS can authenticate your identity to participating services because you have authenticated yourself to CAS and CAS is trusted by the services that use it. CAS does not handle authorization to individual services. It is up to the individual services to determine if a user is allowed to access them.

[edit] How do I obtain the user's name, status, etc

CAS merely authenticates a user. All the services know is that a username, abc123 is accessing their site. CAS does not provide information about users to accessed services. However, all is not lost. This information is contained within the university's LDAP server. It is possible for end-services to query the LDAP server for information about these users to control and customize service behavior. Some examples are displaying the user's name, filtering content based upon user's role within the university (student, staff, faculty, etc), grade level of student (freshmen, sophomore, junior, senior, etc). To find information on how to do this, consult the LDAP article.

[edit] Why should I change my existing service to use CAS

The simple answer: supplying your password to log in all the time is annoying. Wouldn't it be convenient to just type your password once every eight hours and be done with it? Besides, the fewer times users need the password, the more incentive there is for them to chose a better, more difficult to break, takes longer to type password.

[edit] I have more questions, who do I contact

If you have a question about CAS that isn't answered here, you have two options:

Post a comment on Talk:Central Authentication Service.
Send an e-mail to sso-admin@case.edu

1) is preferred, as dialogue on this wiki can be referenced by others in your same shoes.

[edit] Web Sites and Applications Using CAS

If you maintain a website that uses CAS, please add your site to the list below. The sites are listed in chronological order (at least for now).

[edit] Deployed

Case Wiki (since September 6, 2005)
Blogs@Case (since September 6, 2005)
ITS Services (since September 6, 2005)
Shibboleth (since September 6, 2005)
USG Funding System (since September 8, 2005)
Bookswap Account Status (since September 9, 2005)
Software Center (Since September 29, 2005)
Lists@Case (since October of 2005)
Case Screensaver Web Interface (since October of 2005)
Schedule.case.edu (since November 18, 2005)
CaseLife (since January 26, 2006)
Student Affairs and all related sites (since February 16, 2006)
Blackboard (since February 16, 2006)
Online Phonebook (since February 22, 2006)
Case Forum
My Case Portal (since August, 2007)

[edit] In the Future

Campus WWW Server (in testing)
Peoplesoft (directions at https://clearinghouse.ja-sig.org/wiki/display/CAS/CASifying+PeopleSoft)

[edit] Statistics

CAS has some benchmarks on the ITS Dashboard

Logins

Application Tickets (services accessed)

[edit] How CAS Works

[edit] Basic overview

When a user accesses a site that uses CAS, that site redirects the user to CAS (login.case.edu). Once CAS has verified a user's identity, it forwards them back to the original site. CAS attaches a unique ticket number to the URL of the protected service. The protected service sees this ticket. It sends this ticket to CAS. CAS tells the protected service whether the ticket is good and if so, the Case ID that was used to obtain the ticket. The protected service reacts accordingly, allowing access if the ticket is good.

[edit] Detailed overview

When you log into CAS at https://login.case.edu/cas/, a cookie is saved in your browser. This cookie contains a unique ticket number that identifies you to the CAS server. Every time you access https://login.case.edu after you are logged in, your browser automatically transmits this cookie to the web server. CAS reads the cookie, looks up the ticket in its database, and identifies you.

CAS clients behave a little differently. Say you access http://blog.case.edu/mt/mt-cas.cgi. When you load up that page, the page requires that you be logged into CAS to access it. How does this work? The page redirects you to

https://login.case.edu/cas/login?service=http://blog.case.edu/mt/mt-cas.cgi

via an HTTP Location header. Once CAS has verified you are logged in, it sends you back to the URL specified in the service parameter, in this case http://blog.case.edu/mt/mt-cas.cgi. There is, however, one small change. CAS appends a service ticket to the URL, like

http://blog.case.edu/mt/mt-cas.cgi?ticket=ST-3555-McPZ4NKfx6S0EhnCEkHc

The CAS client sees that the ticket parameter is defined and knows the user has just come from https://login.case.edu. The CAS client then queries

https://login.case.edu/cas/serviceValidate?ticket=ST-3555-McPZ4NKfx6S0EhnCEkHc&service=http://blog.case.edu/mt/mt-cas.cgi

The CAS server replies with an XML document that describes the service ticket. Some of the values returned include whether the ticket is good and the username associated with the ticket. Alternatively, the CAS client can query

https://login.case.edu/cas/validate?ticket=ST-3555-McPZ4NKfx6S0EhnCEkHc&service=http://blog.case.edu/mt/mt-cas.cgi

This will return a two line document. The first line will say yes or no. The next line (only present if the first line is yes) will be the username associated with the ticket.

In short, when a user requests access to an application that is CASified, that user gets whisked away to the CAS server. Once they are logged in, the client is returned to the application with a unique service ticket. This is a personalized ticket, good for only one use, and a short period of time that will gain you access into the application. The CAS client verifies this ticket by talking to the CAS server and if everything checks out, it lets you in.

[edit] Proxy authentication

CAS also supports proxy authentication. Proxy authentication is useful for middle-tier applications that need to connect to another application on behalf of the user. For example, you visit a portal that requires you to be logged in to CAS. This portal shows information from Blackboard, which uses CAS. Proxy authentication can be used so the portal can obtain information from Blackboard without the user explicity logging in to Blackboard.

Proxy authentication can be very confusing and can also lead to security concerns if not implemented properly. A good source on proxy authentication is the official documentation on proxy authentication, the CAS 2 Architecture, and the CAS protocol. Before using proxy authentication, please e-mail sso-admin@case.edu and let them know what you are doing. This is for your own benefit and the data security of your customers.

[edit] CAS Implementation Best Practices

[edit] Use Caching

Many of the clients listed below use some form of caching. Without caching, the CAS client will redirect the user to the CAS server for every request to obtain a new service ticket. This places more load on not only the CAS server, but your web server as well. Also, it takes a little longer for every page access to load because the user has to process 3 HTTP requests and your web server has to verify the ticket with the CAS server. Assuming a negligible page load time under normal conditions, it takes about 5x longer to view a page.

To eliminate this bottleneck, you should store a cookie on the client's browser that tells your server that they are logged in. This cookie should contain a ticket that you can map to a user. Most CAS clients do this transparently. Some clients, such as the PHP client, store this information in the user's $_SESSION.

[edit] Don't Log the User out of CAS

Some CAS clients have a logoff function that will actually log the user out of CAS. This should be avoided! Don't confuse local application logoff and CAS logoff. If the user logs out of the local application, they are simply transitioning from registered user mode to anonymous user mode. If a user logs out of CAS, they will be forced to supply their username and password again. A simple way to check for logging out of CAS is to look for a request to https://login.case.edu/cas/logout. If this URL is accessed by a client, they will be logged out of CAS.

[edit] Configuring Applications to Use CAS

CAS is being used because it supports many clients for authentication. A fairly complete list of clients is available. To use CAS for authentication, you need to know the following parameters:

Host: https://login.case.edu
Context: /cas/
Login URL: https://login.case.edu/cas/login
Logout URL: https://login.case.edu/cas/logout
Validate URL: https://login.case.edu/cas/validate (CAS protocol version 1)
Service Validate URL: https://login.case.edu/cas/serviceValidate (CAS protocol version 2)
Running Version: 2.0
CAS Protocol Versions Supported: 1 and 2

If one the following clients does not work or does not apply to you, you may wish to create your own CAS client. This is relatively simple because CAS operates over HTTP and the protocol is relatively simple. Consulting the CAS protocol is a necessary step to properly design a client.

Some clients, such as the Apache modules, require that the certificate used by the login server to be verified. For these, you need to obtain the public certificate for the Certificate Authority for https://login.case.edu. The certificate authority is Entrust Server CA and its public certificate can be found below under the Apache 2 instructions.

[edit] Using Apache

A module, mod_cas, is available for Apache 1 and 2 to do CAS authentication. A Perl auth module is also available as an alternative.

[edit] Apache 1

Why are you still using Apache 1? Upgrade to Apache 2 already.

[edit] Apache 2

Although the version of mod_cas distributed as part of the CAS client package is usable, we recommend the use of our custom mod_cas module. The advantages of our module are that configuration options for the module are not compiled into the module. Also, we have modified the module to work with our modified mod_auth_ldap, which can return dynamic groups from LDAP.

The source code for our module can be found at https://its-services.case.edu/middleware/src/mod_cas_Apache2.tar.gz. The development for this module occurs at http://opensource.case.edu/projects/CAS/.

Extract the contents of this archive anywhere in your filesystem. cd to the apache2 directory. Edit the following values in Makefile:

top_srcdir
top_builddir
srcdir
builddir
VPATH

The values for top_srcdir and top_builddir are the path to Apache 2's source tree will most likely be identical. An example value would be /usr/local/src/httpd-2.0.54

The values for srcdir, builddir, and VPATH will most likely all be ./

The module is compiled and installed by running

 
make mod_cas.la
make install-modules

Alternatively, you can compile the module using apxs. Run the following to compile and copy the module to your Apache module directory:

 
/path/to/apxs -i -c mod_cas.c ssl_client.c

Once the module is installed, you need to edit your Apache config file (usually httpd.conf) and add the following:

 
LoadModule cas_module usr/lib/apache2/mod_cas.so
CASLoginURL https://login.case.edu/cas/login
CASHost login.case.edu
CASValidate /cas/validate
CASTrustedCerts /path/to/entrust.crt
#CASDebug On
 
CASLocalCacheFile /path/to/cas/cache
CASLocalCacheSize 1000
CASLocalCacheTimeout 7200
CASLocalCacheInsecure Off

The CasTrustedCerts directive should point to a file containing the public certificate(s) of the Certificate Authority for the CAS server. It is recommended to create a file with the following contents:

and set this directive to point to that file.

You can use the CASDebug directive to allow extra debugging to the Apache log for testing purposes. For CASLocalCacheFile, create a blank file and set its permissions so the Apache user can write to this file.

To protect a specific directory to require CAS authentication, just use AuthType CAS. For example:

 
<Location "/cas-protected/">
    AuthType CAS
    AuthName "CAS"
    require valid-user
</Location>

By default, the CAS module will handle authentication and authorization. If you have another module that you would like to process authorization, such as mod_auth_ldap, you need to tell mod_cas to defer to that module. This is done by adding the directive CASAuthenticateOnly On to either the global httpd.conf file or in any <virtualhost>, <directory>, <location>, or .htaccess location. You can set CASDebug On and view the Apache error log to verify everything is working as it should.

[edit] Apache 2.2

The Apache 2.0 module is not compatible with Apache 2.2 due to Apache API changes.

It might be possible to use AuthCAS with Apache 2.2. If you have success with this, please report it to sso-admin@case.edu or update this page.

The AuthCAS module is no longer supported due to SQL injection issues, however mod_auth_cas was written to specifically target Apache 2.2 and is being actively maintained. The source can be downloaded here.

Apache 2.2 must be compiled with APache eXtenSion tool (APXS) to compile and install the mod_auth_cas object as a dynamically shared object (DSO). The instructions for setting the module up can be found here. It is still recommended to create a file containing the public certificate of the Certificate Authority for the CAS server (located under the Apache 2.0 section).

The configuration options for mod_auth_cas are different than that of the custom mod_cas module, the following configuration settings were added to the httpd.conf file to implement the Case Single-Sign On service on the BME server:

 
LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so
CASLoginURL https://login.case.edu/cas/login
CASValidateURL https://login.case.edu/cas/serviceValidate
CASCertificatePath /path/to/entrust.crt
#CASDebug On
CASCookiePath /path/to/cas/cookie/
<Directory "/cas-protected/">
        AuthType CAS
        AuthName "CAS"
        require valid-user
</Directory>

[edit] AuthCAS mod_perl Module

[edit] IIS

CAS ISAPI filter for ISS
CCCI CAS alternative plugin for ISS/Apache (see documentation)

These filters are not well supported, and may not even work at all. If you are successful in implementing any ISAPI filters, please add instructions for doing so here.

These filters are also known to have a memory leak. It is highly advised to use a client written in an interpretted language, such as ASP or PHP.

[edit] ASP.NET

You can use CASP, a small C# class written by a programmer at Case for authenticating with CAS through ASP.NET.

[edit] PHP

There are two PHP libraries that can be used with CAS at Case. The Case CAS Module is very simple. It requires PHP 5 to run. phpCAS supports all the bells and whistles of CAS, but requires a little more setup.

[edit] Case CAS Module

Information about this module is available at http://opensource.case.edu/projects/CaseClasses/. The source code is available at http://opensource.case.edu/svn/CaseClasses/php/trunk/Case/Authn/CAS.php. (mirrored here until the server comes back online: http://filer.case.edu/aah16/public/CAS.php.txt)

Sample usage:

 
require_once('Case/Authn/CAS.php');
$cas = new Case_Authn_CAS();
$cas->forceAuthentication();
$CaseID = $cas->getCaseID();

 
require_once('Case/Authn/CAS.php');
$cas = new Case_Authn_CAS();
$cas->checkAuthentication();
 
if ($cas->isLoggedIn()) {
  //the user is known to be logged in
  //do whatever you want with them
}

Please note that the Case CAS Module requires the following PEAR packages: Net_URL, Net_Socket, HTTP_Request

[edit] phpCAS

You can use phpCAS, a CAS PHP library to perform CAS authentication within your PHP applications.

To install phpCAS, download phpCAS, extract the contents of the archive, and copy source/CAS to somewhere in PHP's include_path. In your PHP application, use the following to set up your CAS client:

 
require_once('CAS/CAS.php');
 
phpCAS::client(CAS_VERSION_2_0,'login.case.edu',443,'/cas');

The creation of the phpCAS client automatically calls session_start unless the 5th parameter of the function is false. If your session is already started, this will issue a PHP warning.

To force the user to be logged in, execute the following statement:

 
phpCAS::forceAuthentication();

If you need to obtain the person's network ID, use:

 
$NetID = phpCAS::getUser();

More documentation is availabe at the library's web site.

Do not use phpCAS::logout() in your script, as it will log the user out of CAS. Instead, you can perform a local logout by manipulating $_SESSION variables or cookies.

[edit] Example PHP Script

 
<?php
 
//initialize the CAS library
require_once('CAS/CAS.php');
phpCAS::client(CAS_VERSION_2_0, 'login.case.edu', 443, '/cas');
 
//if the user is requesting to be logged in
if (isset($_REQUEST['login'])) {
   phpCAS::forceAuthentication();
   //the user is known to be logged in to CAS at this point
   $_SESSION['loggedInLocally'] = true;  //set a local variable telling the program we are logged in
   $_SESSION['username'] = phpCAS::getUser();  //this stores their network user id
}
 
//if we want to log out of the program
if (isset($_REQUEST['logout'])) {
   $_SESSION['loggedInLocally'] = false;
   unset($_SESSION['username']);
}
 
if (isset($_SESSION['loggedinLocally']) && $_SESSION['loggedInLocally']===true) {
   echo "You are logged in to the application";
} else {
   echo "You are not logged in to the application.  Log in by specifying the 'login' log parameter to this script.";
}
 
?>

There is a Case-specific CAS module for Drupal that is part of the CaseDrupal project. The soure code is available at http://opensource.case.edu/svn/casedrupal/modules/caseauth/caseauth.module

[edit] ColdFusion

See http://www.ja-sig.org/wiki/display/CAS/ColdFusion+client+script

[edit] Zope

See http://www.zope.org/Members/mrlex/ACUF

[edit] VBScript

Undergraduate Admission's own Jonathan Wehner has created a skeleton framework for using CAS in VBScript. See http://opensource.case.edu/projects/CAS/wiki/VBScript.

Retrieved from "http://wiki.case.edu/Central_Authentication_Service"

Category: ITS Services

Case Referrers

Blog Entries

Gregory Szorc's blog - Blackboard Now Using CAS (150 referral)
Jeremy Smith's blog: CAS Sucks! (71 referral)
Jeremy Smith's blog: Zero Sign On (18 referral)
Status of Network and Services (1 referral)
Status of Network and Services (1 referral)
Simple CAS 1.0 Authentication for Django - brian's blog (589 referral)
Jeremy Smith's blog: OpenID Server Integrated with CAS (63 referral)
Gregory Szorc's blog - Case Single Sign-On Service Upgraded (111 referral)

Other Sites

http://start.case.edu/ (13 referral)
http://intranet.weatherhead.case.edu/ (1 referral)

This page has been accessed 102,686 times.
This page was last modified 11:52, January 28, 2010 by Samuel Harmon.
About | Disclaimers

Case Wiki

Navigation

Search

Toolbox