8/12/2019 Cas Presentation 20110407

1/19

8/12/2019 Cas Presentation 20110407

2/19

8/12/2019 Cas Presentation 20110407

3/19

4/7/2011 Purdue University Identity and Access Management 3

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

6rowser

CAS ser#er

sam$lea$$

/) initial re7uest

-) redirect to CAS login $age with ser#ice;url5back5to5sam$lea$$5$age

0) re7uest CAS login $age

+) html for CAS login $age

) 'S% login and $assword

@) set CAS%9C cookie andredirect to sam$lea$$ with ticket;S%

8/12/2019 Cas Presentation 20110407

4/19

4/7/2011 Purdue University Identity and Access Management 4

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

Ste$ / initial re7uest

sam$lea$$" a$$lication ser#er is configured with a CAS client tore7uire authentication for certain urls (in this e=am$le test)

ser with browser accesses test on sam$lea$$

8f browser does not already ha#e session on sam$lea$$,sam$lea$$ transfers control to the CAS client

8f the CAS client does not see a ticket $arameter in the re7uest,user is redirected back to the CAS login $age withser#ice;url5to5return5to, in this e=am$lehtt$localhostB.B.sam$lea$$test

8/12/2019 Cas Presentation 20110407

5/19

4/7/2011 Purdue University Identity and Access Management 5

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

Ste$ - redirect to CAS login $age

ser is redirected back to CAS ser#er for authentication

A$$lication ser#er (sam$lea$$) logs

2011-03-29 09:16:46,843 DEBUG

[org.jasig.cas.client.authentication.AuthenticationFilter] - 2011-03-29 09:16:46,843 DEBUG[org.jasig.cas.client.authentication.AuthenticationFilter] - 2011-03-29 09:16:46,844 DEBUG[org.jasig.cas.client.authentication.AuthenticationFilter] -

application server access log:0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:46 -0400] "GET /sampleapp/test/ HTTP/1.1"302 -

8/12/2019 Cas Presentation 20110407

6/19

4/7/2011 Purdue University Identity and Access Management 6

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

Ste$ 0 browser re7uests CAS login $age

CAS ser#er checks for its CAS%9C cookie (ticket grantingticket), if itDs there, user is already authenticated #ia CAS, ski$ toste$ @ and redirect back to sam$lea$$ with a ser#ice ticket

8f no CAS%9C is $resent, ser#e browser the CAS login $age CAS ser#er access log

0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:47 -0400] "GET /cas-server-uber-webapp-3.4.6/login?service=http%3A%2F%2Flocalhost%3A8080%2Fsampleapp%2Ftest%2F HTTP/1.1"200 6935

8/12/2019 Cas Presentation 20110407

7/19

4/7/2011 Purdue University Identity and Access Management 7

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

Ste$ + CAS ser#er sends login $age to browser

%his is nice because a$$lication ser#ers do not need to

maintain their own login $age

maintain login$assword credentials to do the actual authentication

e#en see the $assword, itDs between the browser and CAS ser#er

8/12/2019 Cas Presentation 20110407

8/19

4/7/2011 Purdue University Identity and Access Management 8

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

Ste$ browser 'S%s login$assword to CASser#er

CAS ser#er checks login and $assword, if authentication failsser#e another login $age to browser

%oo many unsuccessful authentication attem$ts in a short $eriodof time will result in a lockout", where authentication will alwaysfail for a / minute lockout $eriod

CAS ser#er access log

0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:52 -0400] "POST /cas-server-uber-webapp-3.4.6/login?service=http%3A%2F%2Flocalhost%3A8080%2Fsampleapp%2Ftest%2F HTTP/1.1"

302 -

8/12/2019 Cas Presentation 20110407

9/19

4/7/2011 Purdue University Identity and Access Management 9

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

Ste$ @ CAS ser#er redirects back to a$$licationser#er

A ticket granting ticket %9%

8/12/2019 Cas Presentation 20110407

10/19

4/7/2011 Purdue University Identity and Access Management 10

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

Ste$ browser re

8/12/2019 Cas Presentation 20110407

11/19

4/7/2011 Purdue University Identity and Access Management 11

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

Ste$ B a$$lication ser#er checks CAS ser#iceticket sent by browser in url

CAS client $re$aring to check ser#ice ticket2011-03-29 09:16:52,231 DEBUG[org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] -2011-03-29 09:16:52,232 DEBUG[org.jasig.cas.client.validation.Cas20ServiceTicketValidator] -

CAS ser#er access log127.0.0.1 - - [29/Mar/2011:09:16:52 -0400] "GET /cas-server-uber-webapp-3.4.6/serviceValidate?ticket=ST-1-bdgbwHIReBonmaudvxJl-cas&service=http%3A%2F%2Flocalhost%3A8080%2Fsampleapp%2Ftest%2F HTTP/1.1" 200 281

8/12/2019 Cas Presentation 20110407

12/19

4/7/2011 Purdue University Identity and Access Management 12

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

Ste$ 1 CAS ser#er res$onds to ticket check

CAS ser#er res$onse (notice the EW attributes!)2011-03-29 09:16:52,327 DEBUG[org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - Gou can test this now yourself against the new CAS ser#er #ersion 0*+*@ (which

will become $roduction in 3ay -.//)https://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6/loginhttps://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6/serviceValidate

8/12/2019 Cas Presentation 20110407

13/19

4/7/2011 Purdue University Identity and Access Management 13

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

Ste$ /. a$$lication ser#er sends re7uested $age

Some CAS clients (including the &a#a CAS client) can beconfigured to redirect the browser to the same url, but withoutthe ticket $arameter

A$$lication ser#er access log0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:52 -0400] "GET /sampleapp/test/?ticket=ST-1-bdgbwHIReBonmaudvxJl-cas HTTP/1.1" 302 -0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:52 -0400] "GET /sampleapp/test/ HTTP/1.1"200 202

8/12/2019 Cas Presentation 20110407

14/19

4/7/2011 Purdue University Identity and Access Management 14

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

&a#a CAS client

htt$swiki*4asig*orgdis$layCASCCASHClientHforH&a#aH0*/

're#ious e=am$le used #ersion 0*/*/.

Iooking at one CAS client will hel$ understand how any of them

will need configured Ee=t two slides show the web*=ml to configure the &a#a CAS

client for the $re#ious e=am$le

8/12/2019 Cas Presentation 20110407

15/19

4/7/2011 Purdue University Identity and Access Management 15

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

CAS Authentication Filter

org.jasig.cas.client.authentication.AuthenticationFilter

casServerLoginUrlhttps://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6/login

serverNamehttp://localhost:8080

CAS Validation Filterorg.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter

casServerUrlPrefixhttps://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6

serverNamehttp://localhost:8080

redirectAfterValidationtrue

exceptionOnValidationFailurefalse

8/12/2019 Cas Presentation 20110407

16/19

4/7/2011 Purdue University Identity and Access Management 16

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

Continued web*=ml for &a#a CAS clientconfiguration

CAS HttpServletRequest Wrapper Filterorg.jasig.cas.client.util.HttpServletRequestWrapperFilter

CAS Authentication Filter/test/*

CAS Validation Filter/test/*

CAS HttpServletRequest Wrapper Filter/test/*

8/12/2019 Cas Presentation 20110407

17/19

4/7/2011 Purdue University Identity and Access Management 17

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

CAS is not 4ust for web a$$lications

6rowsers hold CAS state with a cookie (called CAS%9C thatholds a CAS ticket granting ticket %9%), but any client, such asa mobile a$$, can obtain and store a %9%

See htt$swiki*4asig*orgdis$layCAS3:S%fulHA'8

=am$le

POST a username and password to https://CAS_SERVER_URL/v1/tickets(with Accept: text/plain as a header)

And if the login/password check out, the server sends back

201 Created

Location: https://CAS_SERVER_URL/v1/tickets/{TGT id}

If authentication fails, the server returns back a 400 code

8/12/2019 Cas Presentation 20110407

18/19

4/7/2011 Purdue University Identity and Access Management 18

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

8nitiati#es for later this year

Ability to use 6oilerkey for CAS authentication

8f 6oilerkey is used, CAS ser#er will e=$ose an e=tra attribute returnedby the ticket check that indicates that the authentication was a6oilerkey authentication

Se$arate mobile a$$ CAS login $age

A$$lication ser#er administrators will be able to manage CAS ticketcheck ser#er lists #ia web $age

Check for more at htt$swww*$urdue*edua$$saccountdocsCASCAS5information*4s$

https://www.purdue.edu/apps/account/IAMO/Purdue_CareerAccount_BoilerKey.jsp

8/12/2019 Cas Presentation 20110407

19/19

4/7/2011 Purdue University Identity and Access Management 19

A detailed walk through a CAS authentication

(and how to get your mits on the authenticated user)

%hanks for your attention!

Juestions?

'urdue 8dentity and Access 3anagement can bereached at accountsK$urdue*edu

'lease fill out an e#aluation athtt$www*ita$*$urdue*eduboilerwebsur#ey