Central Authentication Service

Central Authentication Service is a single sign-on protocol that is developed to permit a user to have access to multiple applications using the same underlying authentication service. The main thing about this is authentication process can only happen on the CAS server which means applications that authenticate with CAS never see the user’s credentials. CAS also permits various applications to authenticate users in the absence of gaining access to a user’s security credentials. CAS process has three main parties namely a client web browser, the web application requesting authentication, and the CAS server other than that it might have database server which provides backend service and also communicates with the web application.

Working of Central Authentication Service:

One’s the client visits a web application seeking authentication, the web application automatically redirects it to CAS and then by checking credentials like username and password against a database CAS validates the authenticity of the client, then after the whole process if the authentication process gets successful CAS returns the client to the application with a security ticket. Then the ticket gets validated by the web application by contacting CAS which in turn provides information about the user whether it is successfully authenticated or not.

Steps for CAS:

• The web application redirects the user to the CAS server login.
• Once the login process is completed , CAS server in turn takes the user to the web application with a security ticket.
• Now the web application sends a request to the CAS server for validating service ticket.
• If the service ticket is valid it is known that the user is successfully authenticated.

Using CAS Authentication in Web Applications and Websites:

One must use CS CAS server or the OIT CAS server for developing any website that requires authentication. Generally CS CAS server gives advantage to the developers. One can use the OIT CAS server if incase there’s no CS account. The most important thing in here is one can use any of the server while building a web application or any website because somehow they both have the same functioning and protocol with the only change in URL. 

There are various client libraries available for authenticating with CAS. For example, in PHP there is phpCAS library and for Python, including Django and Flask there is a python-cas library, apart from this it has many other libraries for various languages.

How is Central Authentication Service related to Authentication and Authorization: 

These are two things in relation with CAS , CAS authenticates the users but might not authorize them as authorization is specific to each application. When any user tries to go into the web application using CAS then the web application receives the Net ID of the user which means your app has the information of the user who logged in.

Now with that Net ID one can verify if the user is authorized to perform actions or not. Applications must maintain the list using Net ID to differentiate the b/w users who can update it which means these users are authorized and the users who cannot update or edit it which means these users are not authorized.