CAS Introduction
CAS is a web-based Central Authentication Service for authentication and Single Sign On to University web applications. Web applications that accept CAS tokens may also allow for deep linking where users can directly enter an appropriate sub section of a web site or web application. It was originally developed at Yale and has since become a JA-SIG sponsored project. More details can be found at JA-SIG Central Authentication Service.
What your application sees
In order to use CAS, your application should be a web application. A user will enter your application with a parameter named ticket. By special request, you can also have CAS enter your application with a username parameter providing a UofC EID and a password parameter which is actually a CAS ticket.
The ticket is a single use value that you can validate against CAS. If accepted, you will get some identity information about the user that has logged into CAS and how strong a password they provided.
How does the user navigate between CAS and your application
In order to reach CAS and then your application, a URL must be provided to the browser with a service parameter. The service parameter would be the login location of your application. This would usually be done as a redirect from an application requiring login. For instance, to enter the application https://www.ucalgary.ca/itutil?process=CASMenu with a CAS ticket, the browser would need to open CAS with https://cas.ucalgary.ca/cas/login?service=https://www.ucalgary.ca/itutil?process=CASMenu
When successfully authenticated, the user's browser will be redirected back with a ticket parameter
https://www.ucalgary.ca/itutil?process=CASMenu&ticket=ST-18988-Ka7nKVnuFQ8s2kScT6WC
Ticket authentication and possible service points
Your application can validate a ticket using a few different service URLs on the CAS server depending on the data you need and the client API you are using. To avoid rewriting basic partsin code, a number of client API's are available for general download at http://www.ja-sig.org/products/cas/client/index.html with the Java API being the most mature. There is also a local custom client API for .Net developers which can be requested from cas@ucalgary.ca. In addition you can write your own client API that makes an https request and parses the response. These are the service points available for validating CAS tickets with example responses. The examples show sample responses for eid e.pilgrim with a username of epilgrim.
1. https://cas.ucalgary.ca/cas/validate
This service returns simple one or two line text response:
a. Failed response
no
b. Successful response
yes
eid:e.pilgrim:password:071024160852-0600:136.159.113.37
The second line of the successful response contains the following 5 or 6 pieces of information.
- The realm authenticated to: eid, uidauthent, or secured
- The username provided to CAS
- The strength of authentication: password or token
- The time that the CAS login occurred
- The client IP address that logged into CAS
- If the username provided to CAS was a primary IT username, then an associated EID will be appended to the end.
2. https://cas.ucalgary.ca/cas/serviceValidate
This is an XML response bus has essentially the same information as described in 1st service path.
a. Failed responses
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_TICKET'>
ticket 'ST-20463-ZuiaAIgalBGqygOZoC6q' not recognized
</cas:authenticationFailure>
</cas:serviceResponse>
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_SERVICE'>
ticket 'ST-20974-n6POodHzmza0yBvc4cxF' does not match supplied service
</cas:authenticationFailure>
</cas:serviceResponse>
b. Sucessful response
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>eid:e.pilgram:password:071024160852-0600:136.159.113.177</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
3. https://cas.ucalgary.ca/cas/ucserviceValidate
This is an XML response with more details describing U of C attributes
a. Failed responses
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_TICKET'>
ticket 'ST-20463-ZuiaAIgalBGqygOZoC6q' not recognized
</cas:authenticationFailure>
</cas:serviceResponse>
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_SERVICE'>
ticket 'ST-20974-n6POodHzmza0yBvc4cxF' does not match supplied service
</cas:authenticationFailure>
</cas:serviceResponse>
b. Successful response
<cas:serviceResponse xmlns:cas='http://www.ucalgary.ca/cas'>
<cas:authenticationSuccess>
<cas:user>eid:e.pilgrim:password:071024160852-0600:136.159.221.17</cas:user>
<cas:userOnly>e.pilgrim</cas:userOnly>
<cas:ucidList>
<cas:person>
<cas:ucid>07351642</cas:ucid>
<cas:ucidUIDs>
<cas:ituser>
<cas:username>epilgrim</cas:username>
<cas:userGroups>wem,staff</cas:userGroups>
</cas:ituser>
</cas:ucidUIDs>
<cas:userClassList>
<cas:userClass>camrec</cas:userClass>
<cas:userClass>hris.staff</cas:userClass>
<cas:userClass>hris.staff.mp</cas:userClass>
<cas:userClass>hris.peoplesoft</cas:userClass>
<cas:userClassList>
</cas:person>
<cas:person>
<cas:ucid>088442211</cas:ucid>
<cas:ucidUIDs>
<cas:ituser>
<cas:username>pilgrime</cas:username>
<cas:userGroups></cas:userGroups>
</cas:ituser>
</cas:ucidUIDs>
<cas:userClassList>
<cas:userClass>alumni</cas:userClass>
<cas:userClass>camrec</cas:userClass>
<cas:userClass>sis.student</cas:userClass>
<cas:userClassList>
</cas:person>
</cas:ucidList>
<cas:defaultItUserName>epilgrim</cas:defaultItUserName>
</cas:authenticationSuccess>
</cas:serviceResponse>
In addition to the information provided in the previous service point,
this provides the UCID's, IT user names and ldap groups associated with
the identity as well as their preferred IT username.
4. https://cas.ucalgary.ca/cas/ucssoValidate This response is used to preserve compatibility with existing single signon applications originally written for the portal
•a. Failed response
n,Return code = 1, Ticket authentication error
•b. Sucessful response
2,Return code = 0, Password authentication successful
List:
principal=e.pilgrim
ucid=07351642
ucid=088442211
barcode.07351642=0001011111
group.userclass.07351642=camrec
group.userclass.07351642=hris.staff
group.userclass.07351642=hris.staff.mp
group.userclass.07351642=hris.peoplesoft
username.secondary.07351642=broweb
username.primary.07351642=epilgrim
barcode.088442211=0000936369
group.userclass.088442211=alumni
group.userclass.088442211=camrec
group.userclass.088442211=sis.student
username.primary.088442211=pilgrime
IT-username=epilgrim
service=http://www.ucalgary.ca/itutil/test/
last-used=1193266089380
created-at=1193263732108
status=valid
security-level=2
authorized-location=136.159.213.77
How to force a new login to CAS?
If you wish to request that the existing CAS session by ended and the user authenticate to CAS again, then include the following parameter and value in your redirect to CAS.
ca.ucalgary.authent.mustpost=true
How does your client ensure that SecurID was used when logging into CAS?
Once you've received a response from CAS, you can check the method and realm in the response to ensure that the user logged into CAS with a securid. For instance, Java and C# client code might include the following test
String TOKEN = "token";
String SECURID="securid";
public bool AuthenticationIsSecurid()
return AuthenticationMethod.Equals(CasMethods.TOKEN)
&& Realm.Equals(CasRealms.SECURID);
To ensure the login strength is securid prior to receiving a ticket, you can initially redirect the browser to the CAS login with the following parameter appended.
a.ucalgary.authent.securid=true
Local use of client APIs
The Java client is available from http://www.ja-sig.org/products/cas/client/javaclient/index.html
Some local classes have been developed to extend it and these can be requested by sending email to CAS@ucalgary.ca.
A new client API for .Net developers has been developed. This can also be requested from CAS@ucalgary.ca and include a simple web application that demonstrates the use of the API.
A variety of client libraries for other languages and environments can be found at
http://www.ja-sig.org/products/cas/client/index.html
http://www.ja-sig.org/products/cas/client/libraries/index.html