Central Authentication Service

This article is about Central Authentication Service. For Community Authorization Service, see Globus Toolkit.

The Central Authentication Service (CAS) is a single sign-on protocol for the web.^[1] Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

Description

The CAS protocol involves at least three parties: a client web browser, the web application requesting authentication, and the CAS server. It may also involve a back-end service, such as a database server, that does not have its own HTTP interface but communicates with a web application.

When the client visits an application desiring to authenticate to it, the application redirects it to CAS. CAS validates the client's authenticity, usually by checking a username and password against a database (such as Kerberos, LDAP or Active Directory).

If the authentication succeeds, CAS returns the client to the application, passing along a service ticket. The application then validates the ticket by contacting CAS over a secure connection and providing its own service identifier and the ticket. CAS then gives the application trusted information about whether a particular user has successfully authenticated.

CAS allows multi-tier authentication via proxy address. A cooperating back-end service, like a database or mail server, can participate in CAS, validating the authenticity of users via information it receives from web applications. Thus, a webmail client and a webmail server can all implement CAS.

History

CAS was conceived and developed by Shawn Bayern of Yale University Technology and Planning. It was later maintained by Drew Mazurek at Yale. CAS 1.0 implemented single-sign-on. CAS 2.0 introduced multi-tier proxy authentication. Several other CAS distributions have been developed with new features.

In December 2004, CAS became a project of the Java in Administration Special Interest Group (JASIG), which is as of 2008 responsible for its maintenance and development. Formerly called "Yale CAS", CAS is now also known as "Jasig CAS". In 2010, Jasig entered into talks with the Sakai Foundation to merge the two organizations. The two organizations were consolidated as Apereo Foundation in December 2012.

In December 2006, the Andrew W. Mellon Foundation awarded Yale its First Annual Mellon Award for Technology Collaboration, in the amount of $50,000, for Yale's development of CAS.^[2] At the time of that award CAS was in use at "hundreds of university campuses (among other beneficiaries)".

In May 2014, CAS Protocol specification 3.0 was released.^[3]

CAS Server features

CAS v1, v2 and v3 Protocol
SAML v1 and v2 Protocol
OAuth Protocol
OpenID & OpenID Connect Protocol
Authentication via JAAS, LDAP, RDBMS, X.509, Radius, SPNEGO, JWT, Stormpath, Remote, Trusted, BASIC, Apache Shiro, MongoDb, Pac4J and more.
Delegated authentication to WS-FED, Facebook, Twitter, SAML IdP, OpenID, OpenID Connect, CAS and more.
Authorization via ABAC, Time/Date, Internet2's Grouper and more.
HA clustered deployments via Hazelcast, Ehcache, JPA, Memcached, Apache Ignite, Couchbase and more.
Application registration backed by JSON, LDAP, JPA, Couchbase, MongoDb and more.
Multifactor authentication via Duo Security, YubiKey, RSA, Google Authenticator and more.
Administrative UIs to manage logging, monitoring, statistics, configuration, client registration and more.
Global and per-application user interface theme and branding.

The foundations of CAS are built upon: Spring Framework, Spring Boot, Spring Cloud, Spring Session and Thymeleaf.

References

↑ "JASIG CAS Protocol Page". Apereo/JASIG. Retrieved 24 June 2016.
↑ Mellon Award for Technology Collaboration press release (PDF).
↑ "CAS Protocol Specification 3.0". Retrieved 3 January 2015.

External links

Authentication

Authentication APIs	BSD Authentication (BSD Auth) eAuthentication Generic Security Services API (GSSAPI) Java Authentication and Authorization Service (JAAS) OAuth OpenID OpenID Connect (OIDC) Pluggable Authentication Modules (PAM) Simple Authentication and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA)

Authentication protocol	ACF2 AKA CAVE-based authentication Challenge-Handshake Authentication Protocol (CHAP) MS-CHAP Central Authentication Service (CAS) CRAM-MD5 Diameter Extensible Authentication Protocol (EAP) Host Identity Protocol (HIP) Kerberos LAN Manager NT LAN Manager (NTLM) Password-authenticated key agreement protocols Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam

This article is issued from Wikipedia - version of the 6/24/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.