The Central Authentication Service (CAS) is a

single sign-on Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-enterin ...

protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as user ID and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name ''CAS'' also refers to a software package that implements this protocol.

Description

The CAS protocol involves at least three parties: a ''client'' web browser, the web ''application'' requesting authentication, and the ''CAS server''. It may also involve a ''back-end service'', such as a database server, that does not have its own HTTP interface but communicates with a web application. When the client visits an application requiring authentication, the application redirects it to CAS. CAS validates the client's authenticity, usually by checking a username and password against a database (such as Kerberos,

LDAP The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory servi ...

Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralize ...

). If the authentication succeeds, CAS returns the client to the application, passing along a service ticket. The application then validates the ticket by contacting CAS over a secure connection and providing its own service identifier and the ticket. CAS then gives the application trusted information about whether a particular user has successfully authenticated. CAS allows multi-tier authentication via proxy address. A cooperating ''back-end'' service, like a database or mail server, can participate in CAS, validating the authenticity of users via information it receives from web applications. Thus, a webmail client and a webmail server can all implement CAS.

History

CAS was conceived and developed by

Shawn Bayern Shawn J. Bayern is an American law professor. Before his legal career, he created several widely used computer-software systems and wrote several widely cited books on computer programming. Biography After graduating from Yale University, Bayern w ...

Yale University Yale University is a private research university in New Haven, Connecticut. Established in 1701 as the Collegiate School, it is the third-oldest institution of higher education in the United States and among the most prestigious in the wo ...

br>Technology and Planning
It was later maintained by Drew Mazurek at Yale. CAS 1.0 implemented single-sign-on. CAS 2.0 introduced multi-tier proxy authentication. Several other CAS distributions have been developed with new features. In December 2004, CAS became a project of the Java in Administration Special Interest Group (JASIG), which is as of 2008 responsible for its maintenance and development. Formerly called "Yale CAS", CAS is now also known as "Jasig CAS". In 2010, Jasig entered into talks with the Sakai Foundation to merge the two organizations. The two organizations were consolidated as Apereo Foundation in December 2012. In December 2006, the

Andrew W. Mellon Foundation The Andrew W. Mellon Foundation of New York City in the United States, simply known as Mellon Foundation, is a private foundation with five core areas of interest, and endowed with wealth accumulated by Andrew Mellon of the Mellon family of Pitts ...

awarded Yale its First Annual Mellon Award for Technology Collaboration, in the amount of $50,000, for Yale's development of CAS. At the time of that award CAS was in use at "hundreds of university campuses (among other beneficiaries)". In April 2013, CAS Protocol specification 3.0 was released.

Implementation

Apereo CAS Implementation

The Apereo CAS server that is the reference implementation of the CAS protocol today supports the following features: * CAS v1, v2 and v3 Protocol *

SAML Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based ...

v1 and v2 Protocol *

OAuth OAuth (short for "Open Authorization") is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. T ...

Protocol * OpenID & OpenID Connect Protocol * WS-Federation Passive Requestor Protocol * Authentication via JAAS,

, RDBMS,

X.509 In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secu ...

, Radius,

SPNEGO Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants ...

, JWT, Remote, Trusted, BASIC,

Apache Shiro Apache Shiro (pronounced "sheeroh", a Japanese word for castle ) is an open source software security framework that performs authentication, authorization, cryptography and session management. Shiro has been designed to be an intuitive and easy-t ...

MongoDB MongoDB is a source-available cross-platform document-oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas. MongoDB is developed by MongoDB Inc. and licensed under the Serve ...

, Pac4J and more. * Delegated authentication to WS-FED, Facebook, Twitter, SAML IdP,

OpenID OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provider ...

OpenID Connect OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provide ...

, CAS and more. * Authorization via ABAC, Time/Date, REST, Internet2's Grouper and more. * HA clustered deployments via

Hazelcast In computing, Hazelcast IMDG is an open source in-memory data grid based on Java. It is also the name of the company developing the product. The Hazelcast company is funded by venture capital and headquartered in Palo Alto, California. In a ...

Ehcache Ehcache ( ) is an open source Java distributed cache for general-purpose caching, Java EE and . Ehcache is available under an Apache open source license. Ehcache was developed by Greg Luck starting in 2003. In 2009, the project was purchased b ...

, JPA,

Memcached Memcached (pronounced variously ''mem-cash-dee'' or ''mem-cashed'') is a general-purpose distributed memory-caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of ...

Apache Ignite Apache Ignite is a distributed database management system for high-performance computing. Apache Ignite's database utilizes RAM as the default storage and processing tier, thus, belonging to the class of in-memory computing platforms. The disk t ...

, MongoDB,

Redis Redis (; Remote Dictionary Server) is an in-memory data structure store, used as a distributed, in-memory key–value database, cache and message broker, with optional durability. Redis supports different kinds of abstract data structures, su ...

, Couchbase and more. * Application registration backed by

JSON JSON (JavaScript Object Notation, pronounced ; also ) is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and arrays (or other ser ...

, LDAP,

YAML YAML ( and ) (''see '') is a human-readable data-serialization language. It is commonly used for configuration files and in applications where data is being stored or transmitted. YAML targets many of the same communications applications as Exte ...

, JPA, Couchbase, MongoDB and more. * Multifactor authentication via Duo Security, SAASPASS,

YubiKey The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Fac ...

, RSA,

Google Authenticator Google Authenticator is a software-based authenticator by Google that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm (HOTP; sp ...

( TOTP) and more. * Administrative UIs to manage logging, monitoring, statistics, configuration, client registration and more. * Global and per-application user interface theme and branding. * Password management and password policy enforcement.

Django Implementation

Django CAS Server

* django-mama-cas: A Django Central Authentication Service (CAS) single sign-on server

Django CAS Client

* django-cas-ng: Django CAS 1.0/2.0/3.0 client authentication library, support Django 2.0, 2.1, 2.2, 3.0 and Python 3.5+

References

External links

Stanford WebAuthApereo CAS Projectdjango-mama-casdjango-cas-ng
{{Authentication APIs Java platform software Free security software Computer access control protocols Access control software