1. Introduction

Chapter 1: Introduction

CAS is a multiprotocol Web single sign-on (SSO) product composed of a single logical server component that services authentication requests from multiple clients that communicate via one or more supported protocols. The CAS server delegates authentication decisions to any number of supported authentication mechanisms including LDAP/Active Directory, Kerberos, and RDBMS. The hallmark of CAS is ease of integration and extension in support of a wide variety of environments. In addition to supporting a large number of technologies out of the box, the well-documented API extension points have enabled deployers to develop custom components to support novel use cases not supported by default.

Features

CAS has a number of features that distinguish it from other SSO products:

  • SSO implementation that avoids shared cookies in favor of one-time-use credentials
  • Broad integration support
  • Broad support for variety of authentication methods
  • Decentralized authorization model

SSO Implementation

Unlike many SSO products, CAS does not use shared cookies to authenticate to services within the SSO domain. The CAS implementation uses a secure SSO session identifier (ticket-granting ticket in CAS protocol parlance), shared exclusively with the CAS server, to generate one-time-use credentials (service tickets in CAS protocol parlance) that are used to access services within the SSO domain. Passing the "master key" session identifier exclusively between the user's browser and CAS server dramatically limits the potential for man-in-the-middle attacks on the session identifier. CAS benefits from increased security in this regard over shared cookie strategies.

Integration

CAS client integration components are available for all popular Web development frameworks and many popular Web applications. Some of the most popular:

  • Java
  • .NET
  • PHP
  • Outlook Web Access
  • Drupal
  • Confluence

The combination of open protocols and open source facilitate the development of integration components for almost any product as has been demonstrated over many years by the development of components for frameworks as varied as PL/SQL and Cold Fusion.

Authentication Providers

The CAS server authenticates users by means of the AuthenticationHandler component for which a number of implementations are provided out of the box to support the following authentication providers:

  • LDAP/Active Directory
  • RDBMS
  • Kerberos
  • SPNEGO
  • X.509/Client SSL
  • JAAS
  • RADIUS
  • Flat file

CAS has a proven track record of supporting custom authentication providers such as proprietary Web services. Adopters leverage the open and well-documented source to develop custom AuthenticationHandler components and wire them into the application using Spring XML configuration. The result is straightforward extension for virtually any authentication need.

Authorization

CAS approaches authorization from the perspective that authorization is the responsibility of individual services that authenticate to CAS. This design owes to the history of CAS having been developed in the Higher Education setting, which is typically highly decentralized and ill suited to agreement and enforcement of centralized authorization policy. CAS supports decentralized authorization via an attribute release mechanism where any number of stores may be configured to load and store attributes about principals upon authentication to CAS, and which are released to services when they authenticate to CAS. Attributes are interpreted by services as needed, commonly for authorization and personalization.

Product Comparison

 

CAS

Shibboleth

OpenID

SiteMinder

OpenSSO

Forced reauthentication

(tick)

(error)

(question)

(question)

(question)

Delegated authentication

(tick)

(tick)1

(question)

(question)

(question)

Attribute release

(tick)

(tick)

(question)

(question)

(question)

Authorization services

(error)2

(error)2

(question)

(question)

(question)

Single sign-out

(tick)

(error)

(question)

(question)

(question)

Federation support

(error)

(tick)

(error)

(error)

(error)

Notes:
1. Delegated authentication is supported in Shibboleth out of the box in v2.2+, v2.1.3+ with delegation plugin.
2. As discussed in the Authorization section, CAS supports authorization by services via the attribute release feature. Shibboleth uses the same decentralized approach to authorization.

Support

CAS is supported by a community of developers and users via a variety of means:

  • Formal product documentation
  • Real-time user support via the cas-user@lists.jasig.org mailing list
  • Jasig conferences

It is important to note that mailing list inquiries typically have response times measured in minutes, with resolutions often occurring same day if not first response. The CAS community spans multiple industries and the globe; with that breadth it is very likely that an active community member has an answer or insight to the problem at hand.

In addition to community support, a number of Jasig partners offer paid support for CAS:

Table of Contents
Architecture