CAS Domain Model
CAS 1.0 - Authenticity Without Papers and Single Sign On
CAS is a trusted 3rd party that can provide Assertions to a Service concerning the authenticity of a Principal. The Service makes a local decision about the authenticity of a Principal based on these Assertions and without direct access to primary Credentials.
CAS will create a TicketGrantingTicket for a Principal if the Principal's Credentials can be authenticated. A Principal can ask CAS, via the TicketGrantingTicket, to grant a ServiceTicket for a target Service. The ServiceTicket can be used by the target Service to request proof of prior authentication. Proof, in the form of an Assertion, is transferred to the Service when it asks CAS to validate the ServiceTicket provided by a Principal.
A TicketGrantingTicket can grant a ServiceTicket for any Service. Thus a Principal achieves single sign on as long as it possess a valid TicketGrantingTicket (e.g. web single sign on is typically achieved via a browser session cookie that maintains the TicketGrantingTicket Id).
A single sign on session ends when either the TicketGrantingTicket expires or a Principal explicitly asks CAS to destroy the TicketGrantingTicket.
CAS 2.0 - Delegated Authority
A Power of Attorney is a legal instrument that is used to delegate legal authority to another. The person who signs(executes)a Power of Attorney is called the Principal. The power of Attorney gives legal authority to another person(called an Agent or Attorney-in-Fact) to make property, financial and other legal decisions for the Principal. A "Nondurable" Power of Attorney takes effect immediately. It remains in effect until it is revoked by the Principal, or until the Principal becomes mentally incompetent or dies. – http://www.oag.state.ny.us/seniors/pwrat.html
A Service at times may require access to another Service in order to fulfill a request made by a Principal (e.g. access to email stored in a IMAP server from a Portal on behalf of a user). In these cases we can say that the Service has the authority to act on behalf of a Principal. In otherwords, the Service can access another Service as if it were the Principal.
Authority is transfered when a Service requests and is granted a TicketGrantingTicket derived from a delegating Principal. The request for CAS to proxy or delegate a TicketGrantingTicket must include a Principal, by way of a ServiceTicket, for whom the authority is being delegated, and Credentials that can prove the authenticity of the Service.
A Service with delegated authority, in the form of a TicketGrantingTicket, can ask CAS, to grant a ServiceTicket for a target Service. The target Service can use the ServiceTicket to request proof that the prior Service has been given the authority to act on behalf of a Principal. Proof, in the form of an Assertion, is transfered when the target Service asks CAS to validate the ServiceTicket. The Assertion will provide a chain of Principals as proof of delegated authority. The Service will make a local decision based on the Assertion as to the authenticity of the delegated authority and of each Principal in the chain without having direct access to any Credentials.
The authority to act on behalf of a Principal remains in effect until either the proxied TicketGrantingTicket expires or the authority is revoked by the Principal by asking CAS to destroy the granting TicketGrantingTicket.