SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
Central Authentication Service (CAS)
-
Upload
arun-kumar -
Category
Documents
-
view
234 -
download
0
Transcript of Central Authentication Service (CAS)
-
8/3/2019 Central Authentication Service (CAS)
1/18
Central Authentication
Service (CAS)
-
8/3/2019 Central Authentication Service (CAS)
2/18
What is CAS?
JA-SIG Central Authentication Service is anenterprise level, open-source, single sign on
solution with a Java server component andvarious client libraries written in a multitude oflanguages including PHP, PL/SQL, Java, andmore.
CAS is a http based protocol that requires eachof its components to be accessed throughdifferent URIs.
-
8/3/2019 Central Authentication Service (CAS)
3/18
-
8/3/2019 Central Authentication Service (CAS)
4/18
List of URIs to access CAS. /login
Parameters: service, renew, gateway, warn
/logout Parameters: url
/validate Parameters: service, ticket, renew
/serviceValidate Parameters: service, ticket, pgtUrl, renew
/proxy Parameters: pgt, targetService
/proxyValidate Parameters: service, ticket, pgtUrl, renew
-
8/3/2019 Central Authentication Service (CAS)
5/18
Tickets generated by CAS Ticket-granting Ticket
Service Ticket
Proxy Ticket
Proxy-granting Ticket
Proxy-granting Ticket IOU Login Ticket
-
8/3/2019 Central Authentication Service (CAS)
6/18
Ticket-granting Ticket Ticket granting ticket will be generated when the /login
url is passed to CAS server and the credentials providedare successfully authenticated.
A TGT is the main access into the CAS service layer.
TGT is an opaque string that contains secure randomdata and must begin with TGT-.
TGT will be added to an HTTP cookie upon the
establishment of single sign-on and will be checkedfurther when different applications are accessed
-
8/3/2019 Central Authentication Service (CAS)
7/18
Service Ticket The service ticket (ST) will be generated
when the CAS url contains service
parameter and the credentials passed aresuccessfully authenticated.
Service ticket is an opaque string that isused by client as a credential to obtainaccess to a service.
Service ticket must begin with ST-
-
8/3/2019 Central Authentication Service (CAS)
8/18
Proxy Ticket In CAS, proxy is a service that wants to access other
services on behalf of a particular user.
Proxy tickets (PT) are generated from CAS upon aservices presentation of a valid Proxy granting Ticket(PGT), and a service identifier for the back-end serviceto which it is connecting.
PT are only valid for the service identifier specified to
/proxy url when they were generated. Proxy tickets should begin with the characters, PT-.
-
8/3/2019 Central Authentication Service (CAS)
9/18
Proxy-granting Ticket Proxy-granting tickets are obtained from CAS upon
validation of a service ticket or a proxy ticket. If a servicewishes to proxy a client's authentication to a back-end
service, it must acquire a proxy-granting ticket. Acquisition of this ticket is handled through a proxy
callback URL. This URL will uniquely and securelyidentify the back-end service that is proxying the client'sauthentication.
The back-end service can then decide whether or not toaccept the credentials based on the back-end service'sidentifying callback URL.
-
8/3/2019 Central Authentication Service (CAS)
10/18
Proxy-granting Ticket IOUA proxy-granting ticket IOU is an opaque
string that is placed in the response
provided by /serviceValidate or/proxyValidate used to correlate a serviceticket or proxy ticket validation with aparticular proxy-granting ticket.
Proxy-granting ticket IOUs SHOULD beginwith the characters, "PGTIOU-".
-
8/3/2019 Central Authentication Service (CAS)
11/18
Login TicketA login ticket is a string that is generated
by /login as a credential requestor and
passed to /login as a credential acceptorfor username/password authentication.
Its purpose is to prevent the replaying ofcredentials due to bugs in web browsers.
Login tickets SHOULD begin with thecharacters, "LT-".
-
8/3/2019 Central Authentication Service (CAS)
12/18
CAS Architecture
-
8/3/2019 Central Authentication Service (CAS)
13/18
URIs to access admin features /services/manage.html
/services/add.html
/services/edit.html
/services/logout.html
/services/deleteRegisteredService.html
-
8/3/2019 Central Authentication Service (CAS)
14/18
Conventions used in next slides.
TGT Ticket Granting Ticket
ST Service ticket
PGT Proxy granting ticket
PGTIOU Proxy granting ticket IOU (I Owe U) Action boxes colored in red The action mentioned in these boxes will
happen at CAS client and has to be coded by developer in thefilter/servlet/jsp.
Action box colored in sea blue this action is explained in detail in anotherslide.
Rectangular box with URI mentioned before InitialState The URI that needto be called for the actions in the activity diagram to happen
-
8/3/2019 Central Authentication Service (CAS)
15/18
-
8/3/2019 Central Authentication Service (CAS)
16/18
-
8/3/2019 Central Authentication Service (CAS)
17/18
-
8/3/2019 Central Authentication Service (CAS)
18/18