4/7/2011 Purdue University Identity and Access Management 1

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

Welcome!

First of all, what is CAS?

Web single sign on

ses !federated" authentication, where all authentication is done by the

CAS ser#er, instead of indi#idual a$$lication ser#ers

%he im$lementation is an o$en source $rotocol, o$en source &a#a

ser#er, and se#eral o$en source clients

'urdue runs a CAS ser#er, configured to authenticate with 'urdue

Career Account (htt$s())www*$urdue*edu)a$$s)account)cas)

As of +),)-.//, 0+1 a$$lication ser#ers are authori2ed to check CAS

tickets

3ore can be found at(

htt$())www*4asig*org)cas

htt$s())www*$urdue*edu)a$$s)account)docs)CAS)CAS5information*4s$
4/7/2011 Purdue University Identity and Access Management 2
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

%here are three machines in this game

a) 6rowser

b) A$$lication ser#er

Configured with a CAS client to re7uire authentication for certain

urls

c) CAS ser#er (htt$())www*4asig*org)cas)

Ser#es CAS login web $age and authenticates users

8ssues %9% cookie (ticket granting ticket) so user does not ha#e to
login e#ery redirect to CAS ser#er

:edirects back to a$$lication ser#er with ticket;S%<=== ser#ice ticket

in url for CAS client to check

>alidates CAS ser#ice tickets for a$$lication ser#ers

4/7/2011 Purdue University Identity and Access Management 3
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
6rowser
CAS ser#er
sam$lea$$
/) initial re7uest
-) redirect to CAS login $age with ser#ice;url5back5to5sam$lea$$5$age
0) re7uest CAS login $age
+) html for CAS login $age
,) '?S% login and $assword
@) set CAS%9C cookie and
redirect to sam$lea$$ with ticket;S%<===
A) back to initial re7uest, with ticket;S%<=== (the ser#ice ticket)
B) #alidate S%<=== ser#ice ticket
1)ticket #alidation res$onse
/.) sam$lea$$ res$onds with a$$lication $age
4/7/2011 Purdue University Identity and Access Management 4
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

Ste$ / C initial re7uest

!sam$lea$$" a$$lication ser#er is configured with a CAS client to

re7uire authentication for certain urls (in this e=am$le )test)

ser with browser accesses )test on sam$lea$$

8f browser does not already ha#e session on sam$lea$$,

sam$lea$$ transfers control to the CAS client

8f the CAS client does not see a ticket $arameter in the re7uest,
user is redirected back to the CAS login $age with
ser#ice;url5to5return5to, in this e=am$le
htt$())localhost(B.B.)sam$lea$$)test
4/7/2011 Purdue University Identity and Access Management 5
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

Ste$ - C redirect to CAS login $age

ser is redirected back to CAS ser#er for authentication

A$$lication ser#er (sam$lea$$) logs

2011-03-29 09:16:46,843 DEBUG
[org.jasig.cas.client.authentication.AuthenticationFilter] - <no ticket and no
assertion found>
2011-03-29 09:16:46,843 DEBUG
[org.jasig.cas.client.authentication.AuthenticationFilter] - <Constructed service
url: http://localhost:8080/sampleapp/test/>
2011-03-29 09:16:46,844 DEBUG
[org.jasig.cas.client.authentication.AuthenticationFilter] - <redirecting to
"https://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6/login?service=
2F%2Flocalhost%3A8080%2Fsampleapp%2Ftest%2F">
application server access log:
0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:46 -0400] "GET /sampleapp/test/ HTTP/1.1"
302 -
4/7/2011 Purdue University Identity and Access Management 6
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

Ste$ 0 C browser re7uests CAS login $age

CAS ser#er checks for its CAS%9C cookie (ticket granting

ticket), if itDs there, user is already authenticated #ia CAS, ski$ to
ste$ @ and redirect back to sam$lea$$ with a ser#ice ticket

8f no CAS%9C is $resent, ser#e browser the CAS login $age

CAS ser#er access log(

0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:47 -0400] "GET /cas-server-uber-webapp-
3.4.6/login?service=http%3A%2F%2Flocalhost%3A8080%2Fsampleapp%2Ftest%2F HTTP/1.1"
200 6935
4/7/2011 Purdue University Identity and Access Management 7
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

Ste$ + C CAS ser#er sends login $age to browser

%his is nice because a$$lication ser#ers do not need to

maintain their own login $age

maintain login)$assword credentials to do the actual authentication

e#en see the $assword, itDs between the browser and CAS ser#er
4/7/2011 Purdue University Identity and Access Management 8
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

Ste$ , C browser '?S%s login)$assword to CAS

ser#er

CAS ser#er checks login and $assword, if authentication fails

ser#e another login $age to browser

%oo many unsuccessful authentication attem$ts in a short $eriod

of time will result in a !lockout", where authentication will always
fail for a /, minute lockout $eriod

CAS ser#er access log(

0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:52 -0400] "POST /cas-server-uber-webapp-
3.4.6/login?service=http%3A%2F%2Flocalhost%3A8080%2Fsampleapp%2Ftest%2F HTTP/1.1"
302 -
4/7/2011 Purdue University Identity and Access Management 9
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

Ste$ @ C CAS ser#er redirects back to a$$lication

ser#er

A ticket granting ticket %9%<=== is stored on the CAS ser#er, and

set as a CAS%9C cookie

A ser#ice ticket is issued for the a$$lication

(htt$())localhost(B.B.)sam$lea$$)test)) and sent as a $arameter
back to the a$$lication ser#er
2011-03-29 09:16:52,208 DEBUG
[org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie with
name [CASTGC] and value [TGT-1-wKQjkOhweJE6MMTNCqTwv6WojMDBL61GISejnyCfigrMFCumYu-
cas]>
2011-03-29 09:16:52,214 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry]
- <Added ticket [ST-1-bdgbwHIReBonmaudvxJl-cas] to registry.>
2011-03-29 09:16:52,214 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
<Granted service ticket [ST-1-bdgbwHIReBonmaudvxJl-cas] for service
[http://localhost:8080/sampleapp/test/] for user [jott]>
4/7/2011 Purdue University Identity and Access Management 10
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

Ste$ A C browser re<re7uests url from a$$lication

ser#er, with a CAS ser#ice ticket

A$$lication ser#er still has not yet established a session, so CAS

client takes control

CAS client sees a ticket $arameter in the url, that can be

checked with the CAS ser#er

CAS ser#ice ticket is only #alid one time, and the CAS client
needs to use it within 1. seconds or it will e=$ire
4/7/2011 Purdue University Identity and Access Management 11
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

Ste$ B C a$$lication ser#er checks CAS ser#ice

ticket sent by browser in url

CAS client $re$aring to check ser#ice ticket(

2011-03-29 09:16:52,231 DEBUG
[org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] -
<Attempting to validate ticket: ST-1-bdgbwHIReBonmaudvxJl-cas>
2011-03-29 09:16:52,232 DEBUG
[org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Constructing
validation url: https://www.purdue.edu/apps/account/cas-server-uber-webapp-
3.4.6/serviceValidate?ticket=ST-1-bdgbwHIReBonmaudvxJl-cas&service=http%3A%2F
%2Flocalhost%3A8080%2Fsampleapp%2Ftest%2F>

CAS ser#er access log(

127.0.0.1 - - [29/Mar/2011:09:16:52 -0400] "GET /cas-server-uber-webapp-
3.4.6/serviceValidate?ticket=ST-1-bdgbwHIReBonmaudvxJl-cas&service=http%3A%2F
%2Flocalhost%3A8080%2Fsampleapp%2Ftest%2F HTTP/1.1" 200 281
4/7/2011 Purdue University Identity and Access Management 12
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

Ste$ 1 C CAS ser#er res$onds to ticket check

CAS ser#er res$onse (notice the EFW attributes!)(

2011-03-29 09:16:52,327 DEBUG
[org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Server response:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>jott</cas:user>
<cas:attributes>
<cas:email>jott@purdue.edu</cas:email>
<cas:i2a2characteristics>0,3592,2000</cas:i2a2characteristics>
<cas:lastname>Ott</cas:lastname>
<cas:firstname>Jeffrey A</cas:firstname>
<cas:fullname>Jeffrey A Ott</cas:fullname>
<cas:puid>0012345678</cas:puid>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
>

Gou can test this now yourself against the new CAS ser#er #ersion 0*+*@ (which
will become $roduction in 3ay -.//)(
https://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6/login
https://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6/serviceValidate
4/7/2011 Purdue University Identity and Access Management 13
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

Ste$ /. C a$$lication ser#er sends re7uested $age

Some CAS clients (including the &a#a CAS client) can be

configured to redirect the browser to the same url, but without
the ticket $arameter

A$$lication ser#er access log(

0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:52 -0400] "GET /sampleapp/test/?ticket=ST-1-
bdgbwHIReBonmaudvxJl-cas HTTP/1.1" 302 -
0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:52 -0400] "GET /sampleapp/test/ HTTP/1.1"
200 202
4/7/2011 Purdue University Identity and Access Management 14
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

&a#a CAS client

htt$s())wiki*4asig*org)dis$lay)CASC)CASHClientHforH&a#aH0*/

're#ious e=am$le used #ersion 0*/*/.

Iooking at one CAS client will hel$ understand how any of them
will need configured

Ee=t two slides show the web*=ml to configure the &a#a CAS
client for the $re#ious e=am$le(
4/7/2011 Purdue University Identity and Access Management 15
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>exceptionOnValidationFailure</param-name>
<param-value>false</param-value>
</init-param>
</filter>
4/7/2011 Purdue University Identity and Access Management 16
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

Continued web*=ml for &a#a CAS client

configuration(
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/test/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/test/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/test/*</url-pattern>
</filter-mapping>
4/7/2011 Purdue University Identity and Access Management 17
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

CAS is not 4ust for web a$$lications

6rowsers hold CAS state with a cookie (called CAS%9C that

holds a CAS ticket granting ticket C %9%), but any client, such as
a mobile a$$, can obtain and store a %9%

See htt$s())wiki*4asig*org)dis$lay)CAS3):FS%fulHA'8

F=am$le(
POST a username and password to https://CAS_SERVER_URL/v1/tickets
(with Accept: text/plain as a header)
And if the login/password check out, the server sends back
201 Created
Location: https://CAS_SERVER_URL/v1/tickets/{TGT id}
If authentication fails, the server returns back a 400 code
4/7/2011 Purdue University Identity and Access Management 18
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

8nitiati#es for later this year(

Ability to use 6oilerkey for CAS authentication(

8f 6oilerkey is used, CAS ser#er will e=$ose an e=tra attribute returned

by the ticket check that indicates that the authentication was a
6oilerkey authentication

Se$arate mobile a$$ CAS login $age

A$$lication ser#er administrators will be able to manage CAS ticket

check ser#er lists #ia web $age

Check for more at(

htt$s())www*$urdue*edu)a$$s)account)docs)CAS)CAS5information*4s$
https://www.purdue.edu/apps/account/IAMO/Purdue_CareerAccount_BoilerKey.jsp
4/7/2011 Purdue University Identity and Access Management 19
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)

%hanks for your attention!

Juestions?

'urdue 8dentity and Access 3anagement can be

reached at accountsK$urdue*edu

'lease fill out an e#aluation at

htt$())www*ita$*$urdue*edu)boilerweb)sur#ey