This guide gives a brief overview of Central Authentication Service(CAS) and also explains the steps to add a CAS Server(version 1.0-3.0 ) as an Identity source in miniOrange. This is a step by step guide for adding CAS server as CAS identity source. By doing this, you can achieve Single Sign-on (SSO) between SP applications that need not support CAS necessarily, and the IdP is a CAS Server. Within this document, you'll also find how to use "CAS as IDP" and how to "log in with a CAS".
What is Central Authentication Service (CAS)
It is a ticket-based single sign-on (SSO) protocol that provides users access to web applications after authentication against a central CAS Server.
Its purpose is to permit a user to access multiple applications while providing their credentials (such as user id and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.
It was developed by a team at Yale University, which was later a project maintained by JASIG, and after that was merged into Apereo Foundation which now owns and maintains CAS. Apereo Foundations provide a multitude of software that is focused on educational institutions, and CAS is one among the solutions they offer.
The Apereo CAS server is the most popular one, built on Java Spring framework, and it also has Cross-platform client support (Java, .Net, PHP, Perl, Apache, etc). The Apereo CAS server has 3 versions up to now - CAS 1.0, 2.0 and 3.0, with differentiation, majorly being Attributes supported in the CAS response, multi-factor authentication and cross-platform support. For more details on CAS, please click here
Steps to configure CAS as an Identity Source
Here are the steps on how to configure Central Authentication Service(CAS) as an Identity source:
Go to Identity Providers from the left hand side menu and click on the Add Identity Provider button.
Navigate to the CAS tab.
Enter your CAS Version, Server URL, Service Validate URL and Logout URL.
The CAS Server URL has to be of the following format: https://www.testcasserver.org/cas
The CAS Service Validate URL has to be of the following format:
For CAS version 1 - it is https://www.testcasserver.org/cas/validate
For CAS versions 2 & 3 - it is https://www.testcasserver.org/cas/p3/serviceValidate
If you have a custom Service Validate URL as mentioned by your CAS provider, please enter the same.
The CAS Server Logout URL has to be of the following format: https://www.testcasserver.org/cas/logout?service=<redirect_url> - where the <redirect_url> is the URL to which users will be redirected to, after getting logged out from the CAS server.
You have now added a CAS Server as an Identity Source with miniOrange. Your users can now authenticate themselves using their CAS credentials to SSO into other applications.
2. CAS Server
Configure the source URL of authentication requests in the CAS Server.
For redirecting back to your site after logout,
Configure the “followServiceRedirects” setting in the cas.properties file. The setting should be set to “true”.
Add the following Logout URL to the CAS Service Registry: https://www.testcasserver.org/cas/logout?service=<redirect_url> , for eg. https://www.testcasserver.org/cas/logout?service=https://google.com.
3. Test your CAS IDP Configuration
Login to our miniOrange moas service.Login using your miniOrange credentials.
Go to Identity Providers tab from the left-hand side menu.
Navigate to the CAS entry in View Identity Providers table.
Click on Test Configuration Link.
Enter your CAS credentials on the CAS login page (Requires once per active session).
On successful credential verification a table with values returned by CAS response will be shown.
Note: If a session is already active at the CAS endpoint, then there is no need to enter the credentials again in the same session.