Central Authentication Service
Encyclopedia
The Central Authentication Service (CAS) is a single sign-on
protocol for the web
. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.
When the client visits an application desiring to authenticate to it, the application redirects it to CAS. CAS validates the client's authenticity, usually by checking a username and password against a database (such as Kerberos or Active Directory
).
If the authentication succeeds, CAS returns the client to the application, passing along a security ticket
. The application then validates the ticket by contacting CAS over a secure connection and providing its own service identifier and the ticket. CAS then gives the application trusted information about whether a particular user has successfully authenticated.
CAS allows multi-tier authentication via proxy address
. A cooperating back-end service, like a database or mail server, can participate in CAS, validating the authenticity of users via information it receives from web applications. Thus, a webmail client and a webmail server can all implement CAS.
of Yale University
Technology and Planning. It was later maintained by Drew Mazurek at Yale. CAS 1.0 implemented single-sign-on. CAS 2.0 introduced multitier proxy authentication. Several other CAS distributions have been developed with new features.
In December 2004, CAS became a project of the Java Architectures Special Interest Group, which is as of 2008 responsible for its maintenance and development. Formerly called "Yale CAS", CAS is now also known as "Jasig CAS".
In December 2006, the Andrew W. Mellon Foundation
awarded Yale its First Annual Mellon Award for Technology Collaboration, in the amount of $50,000, for Yale's development of CAS. At the time of that award CAS was in use at "hundreds of university campuses (among other beneficiaries)".
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
protocol for the web
World Wide Web
The World Wide Web is a system of interlinked hypertext documents accessed via the Internet...
. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.
Description
The CAS protocol involves at least three parties: a client web browser, the web application requesting authentication, and the CAS server. It may also involve a back-end service, such as a database server, that does not have its own HTTP interface but communicates with a web application.When the client visits an application desiring to authenticate to it, the application redirects it to CAS. CAS validates the client's authenticity, usually by checking a username and password against a database (such as Kerberos or Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
).
If the authentication succeeds, CAS returns the client to the application, passing along a security ticket
Ticket (IT security)
In IT Security, a ticket is a number generated by a network server for a client, which can be delivered to itself, or a different server as a means of authentication or proof of authorization, and cannot easily be forged. This usage of the word originated with MIT's Kerberos protocol in the 1980s...
. The application then validates the ticket by contacting CAS over a secure connection and providing its own service identifier and the ticket. CAS then gives the application trusted information about whether a particular user has successfully authenticated.
CAS allows multi-tier authentication via proxy address
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
. A cooperating back-end service, like a database or mail server, can participate in CAS, validating the authenticity of users via information it receives from web applications. Thus, a webmail client and a webmail server can all implement CAS.
History
CAS was conceived and developed by Shawn BayernShawn Bayern
Shawn J. Bayern is an American law professor. Before his legal career, he created several widely used computer-software systems and wrote several widely cited books on computer programming.-Biography:...
of Yale University
Yale University
Yale University is a private, Ivy League university located in New Haven, Connecticut, United States. Founded in 1701 in the Colony of Connecticut, the university is the third-oldest institution of higher education in the United States...
Technology and Planning. It was later maintained by Drew Mazurek at Yale. CAS 1.0 implemented single-sign-on. CAS 2.0 introduced multitier proxy authentication. Several other CAS distributions have been developed with new features.
In December 2004, CAS became a project of the Java Architectures Special Interest Group, which is as of 2008 responsible for its maintenance and development. Formerly called "Yale CAS", CAS is now also known as "Jasig CAS".
In December 2006, the Andrew W. Mellon Foundation
Andrew W. Mellon Foundation
The Andrew W. Mellon Foundation of New York City and Princeton, New Jersey in the United States, is a private foundation with five core areas of interest, endowed with wealth accumulated by the late Andrew W. Mellon of the Mellon family of Pittsburgh, Pennsylvania. It is the product of the 1969...
awarded Yale its First Annual Mellon Award for Technology Collaboration, in the amount of $50,000, for Yale's development of CAS. At the time of that award CAS was in use at "hundreds of university campuses (among other beneficiaries)".
See also
- OpenIDOpenIDOpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities...
- Shibboleth (Internet2)Shibboleth (Internet2)Shibboleth is an Internet2 project that has created an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on Security Assertion Markup Language . Federated identity allows for information about users in one security domain...
- PubcookiePubcookiePubcookie is a protocol and a software package for providing single sign-on within web applications and websites of an organization. An untrusted web application authenticates the end user against a trusted authentication server via a trusted login server. The Pubcookie software is open source and...
- JOSSOJOSSOJava Open Single Sign On is a single sign-on solution for web applications. It is an open source Java EE based software for user authentication and authorization...
- SAMLSAMLSecurity Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider...
- CoSign single sign onCoSign single sign onCosign is an open source project originally designed by the Research Systems Unix Group to provide the University of Michigan with a secure single sign-on web authentication system....
- Stanford WebAuth
- University of Minnesota CookieAuth
- OpenAMOpenAMOpenAM is an open source access management, entitlements and federation server platform.ForgeRock announced in February 2010 that they would continue to develop and support OpenSSO from Sun now that Oracle have chosen to discontinue development on the project...