Versions Compared

Old Version 5

changes.mady.by.user Andrew Petro

Saved on

compared with

New Version Current

changes.mady.by.user Andrew Petro

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

This precise methodology is straightforward. A web application, having received an opaque ticket from the incoming HTTP request (via its ticket parameter), marshals a SAML request to be sent using SOAP, over HTTPS, to the CAS server. The application contacts CAS over a well-known URL and authenticates CAS using CAS's SSL certificate (applying rules at least as restrictive as a common browser's, to prevent spoofing of CAS). Thus, no XML Signatures are necessary; the underlying channel is trusted. Over this secure channel, the application sends a SAML request of the following form:

Code Block
xml
xml
titleListing 1xml
  <Request
    RequestID="..."
    MajorVersion="1"
    MinorVersion="0"
    IssueInstant="...
  >
    <AssertionArtifact>opaque ticket string</AssertionArtifact>

  </Request>

When CAS recognizes the opaque ticket string sent within this request, it produces a response containing an appropriate assertion, along with supplemental information that the application will need to ensure that the ticket was intended for it and not for another application:

Code Block
xml
xml
titleListing 2xml
Listing 2

  <Response>
    <Status>
      <StatusCode Value="Success"/>;
    </Status>
    <Assertion
      MajorVersion="1"
      MinorVersion="0"
      AssertionID="..."
      Issuer="URI for CAS login page"
      IssueInstant="date of response, not of TGC"
    >
      <Conditions>
        <AudienceRestrictionCondition>
          <Audience>service URI associated with ticket</Audience>

        </AudienceRestrictionCondition>
      </Conditions>
      <AuthenticationStatement>
        <Subject>
          <NameIdentifier>subject name</NameIdentifier>

        </Subject>
      </AuthenticationStatement>
    </Assertion>
  </Response>

...

This approach is straightforward. To authenticate itself to CAS when sending the request from listing 1, the application supplies an XML Signature using the <Assertion> element's <Signature<; subelement. If it is satisfied with the application's authenticity, CAS includes an <AttributeStatement> in the assertion contained in its response. This statement has the following format:

Code Block
xml
xml
titleListing 3xml
  <AttributeStatement>
    <Subject>
      <NameIdentifier>subject name</NameIdentifier>

    </Subject>
    <Attribute AttributeNamespace="http://www.yale.edu/cas"
                  AttributeName="pgt">
      <AttributeValue>PGT value</AttributeValue>
    </Attribute>
  </AttributeStatement>

Once a proxy has used the PGT acquired in this statement to generate a PT (again, using an out-of-band mechanism that does not necessarily use SAML), it supplies a SAML document to its target back-end service. (It could also simply provide the ticket as a query parameter, just as in the current model; however, using SAML arguably makes it easier for a back-end service to use multiple authentication schemes.) This SAML document contains the following assertion:

Code Block
xml
xml
titleListing 4xml
  <Assertion
    MajorVersion="1"
    MinorVersion="0"
    AssertionID="..."
    Issuer="URI for application service"
    IssueInstant="date of assertion, not of PGT"
  >
    <AuthenticationStatement>
      <Subject>
        <NameIdentifier>subject name</NameIdentifier>

      </Subject>
      <SubjectConfirmation>
        <ConfirmationMethod>http://www.yale.edu/cas/proxy</ConfirmationMethod>

        <SubjectConfirmationData>proxy ticket</SubjectConfirmationData>

      </SubjectConfirmation>
    </AuthenticationStatement>
  </Assertion>

...