CAS workflow in case of Single Sign On (SSO) for Spring

1
votes

I am wondering how CAS works (workflow needed). Imagine:

  1. User authenticate with CAS on App1 (example.com/app1, for example).
  2. User goes to another application (example.com/app2).

Every application must show user's name on top of the page. How they know it? In case of just ONE application, the workflow is pretty clear:

  1. App1: While user browse pages without authentication, just show "Login" link as user name.
  2. App1: At one moment user presses Login.
  3. App1: Redirects user to CAS
  4. CAS: Requests user's login/pass
  5. CAS: User enters login/pass
  6. CAS: Redirects user back to App1
  7. App1: gets token and user name (or ID) from CAS, and gives some rights to this user. Done.

But now: how the App2 (App3 and so on) knows that user is already authenticated? Do they all have to redirect user from EVERY page to CAS just only to know, if the user already authenticated and request his name?

In case of Spring it will be a huge redirections, while I have some independent applications like:

example.com/App1
example.com/App2
...
example.com/AppN
3
authenticationspring-mvcsingle-sign-oncas
I've learned that CAS has callback functionality for single logout. That's cool, and the same I need to login - maybe I just can't find it?L'sync

3 Answers

3
votes

I don't have have 10 reputation yet, so you will need to check the workflow image at

http://idms.rutgers.edu/cas/how_does_it_work.shtml

When a new user initially logs into an application they won't have established a session with the application. Instead of displaying a login form asking for the username and password, the application (via the CAS Client) will redirect the browser to the CAS login page.

CAS then authenticates the user. If the authentication fails, the CAS login page is displayed again with an error message. So until authentication succeeds, the user will not be returned to the application. If the user is not sure how to proceed at that point, there are help desk links on the CAS login page. Once the user authenticates successfully, CAS will redirect the browser back to your application. CAS knows where to redirect to via a {service} parameter that you append to the CAS login url.

When CAS redirects the authenticated user back to your application, it will append a {ticket} parameter to your url.

The ticket returned to your application is opaque, meaning that it includes no useful information to anyone other than the CAS Server. The only thing that your application can do is send this ticket back to CAS for validation.

CAS will then either respond that this ticket does not represent a valid user for this service, or will acknowledge that this ticket proves authentication. In the later case, CAS will also supply the username so that you know the identity of the user.

The application must provide its own session management. Once the user is authenticated, your application should keep track of this fact within a session so that you don't have to reauthenticate them with the CAS Server. Typically this would be the same as if you authenticated the user directly from your application.

Each application should provide their own logout facility which will invalidate the session and require the user to re-authenticate into the application. Note that if they are using SSO through the myRutgers portal, they will not have to re-enter their username and password.

1
votes

Using CAS means, that the CAS-Server keeps track of which user is authenticated globally (using a cookie which stores a Ticket Granting Ticket Id - TGT). Each application must maintain its own mechanism to key track of a principal session and the corresponding information.

So if a user wants to access a secured application APP1 (and is not authenticated), he will be redirected to the CAS-Server. Without sending a valid TGT the login-form is presented, otherwise (or after successfully authenticating to the CAS-Server) a Service Ticket (ST) is generated, which must be presented to APP1. Here this Service Ticket is validated against the CAS-Server (using server-to-server communication) - if valid, the userId (and perhaps additional information) is returned. Now it's up to the application APP1 to create a principal based on the userId and to provide authorization information (e.g. the CAS-Server authenticates against an LDAP, whereas APP1 stores the user data in a database). All subsequent requests to APP1 should not involve the CAS-Server anymore.

If the user makes a request to APP2, the mentioned process restarts again.

0
votes

L'sync,

Have you tried posting your question to the cas-users [[email protected]] mailing list?

I have been working with CAS for the last 6 months and from what I understand, App2 (App3 and so on), without redirection to CAS do not have a way of knowing the user-attributes.

You can avoid putting all pages of App2 behind the CAS filter by either storing the user-attributes along with your web-session and/or by embedding an iframe-header in your pages which displays the login-name.

Marvin who is a CAS contributor maintains an excellent CAS client test webapp on GitHub where you can see how he reads the user-attributes. https://github.com/serac/java-cas-client-test