Central Authentication Service (CAS) Protocol Explained
Central authentication service, or CAS, is a single sign-on (SSO) protocol that allows websites to authenticate users.
Login credentials are only used once for multiple applications for authentication without revealing the secure password. The application requiring authorisation will redirect a user to a centralised trusted single server, the CAS server.
The CAS protocol can be used to authenticate untrusted web applications requiring a service ticket for access. CAS is a tool to authenticate a user, but this is not the same as authorising one. Authorisation is specific to the actual application.
The CAS approach can be simple to maintain and distribute to a large network of computers after the initial configuration. It can offer users convenience, consistency, and a high level of security.
Understanding central authentication service (CAS)
CAS can provide an SSO (single sign-on) solution for multiple web applications to provide a more seamless end-user experience. The centralised authentication server, the CAS server, is a trusted source that can be used for authentication purposes.
The CAS protocol and authorisation flow looks like this:
- A user attempts to access a web application that is not already verified. This is the first time attempting to access a CASified application (web application using the CAS service).
- The user is redirected to the CAS server.
- The user then inputs their login credentials one time on the CAS server, and the CAS server determines if the user is authentic.
- Once the user is authenticated through the CAS server, a service ticket is attached to the URL.
- The application then sends a request to the CAS server, validating the service ticket. If the ticket is valid, the user is authenticated and returned back to the application.
With CAS, the user does not have to repeat this process when toggling between applications within a single sign-on session. Once the user signs in to the centralised authentication system, a cookie or system data is set to indicate authentication status without need for re-authentication multiple times in the same session
Key components of CAS
The CAS protocol and authentication flow involves three (or four) parties.
- Client web browser: This is software that is embedded into the web application using the CAS service.
- Web application: This is the application seeking authentication.
- CAS server: This is the standalone component used to authenticate users and grant access to web applications using the CAS service.
- Back-end service: CAS protocol can also involve a database server that does not have its own HTTP interface but still can communicate with a web application.
CAS refers to a software package that also uses the CAS protocol.
How to use CAS in your website
To integrate applications with the CAS protocol, you will first designate your CAS server. Everyone seeking authentication for these applicatio