SSO Access to Applications Through CAS

Introduction

Central Authentication Service (CAS) is an HTTP2- and HTTP3-based protocol which requires that each component can be accessed through a specific URL. You can configure OneAccess as an identity service provider through CAS to enable third-party applications to read user account data from OneAccess. CAS 1.0, CAS 2.0, and CAS 3.0 are supported.

Learn about the CAS protocol and authorization process.

• CAS protocol

  The CAS protocol involves two parts: CAS server and CAS client. They exchange information through the browser. For example, the CAS client can return a redirection message with parameters and forward the message to the CAS server. After the login authentication is successful, the CAS server returns an XML message containing user information to the CAS client. After verifying the user information, the CAS client returns the information to the user for resource access.

  • CAS server: identity authentication provider. For example, OneAccess can be considered as an identity authentication provider.
  • CAS client: resource provider, for example, third-party applications.
• Authorization process
  1. A user logs in to a CAS client.
  2. The CAS client checks whether the HTTP request contains a service ticket (ST). If it does not contain an ST, the user has not been authenticated. In this case, the CAS client forwards the request together with the Service (the target resource address) to the CAS server.
  3. The user enters authentication information. If the login is successful, the CAS server randomly generates a unique ST that cannot be forged, and then sends the ST to the CAS client.
  4. After receiving the Service and ST, the CAS client interacts with the CAS server in the background.
  5. The CAS server verifies the user identity based on the Service and ST, and returns an XML response (containing the user information) in a specified format to the CAS client.
  6. The CAS client and CAS server finish authenticating the identity of the user. The CAS client returns the requested resource to the user.

Configuration Process

Prerequisites

You have permissions to access the administrator portal.

Adding an Application

Add an application in the administrator portal, and configure authentication information to establish a trust on it.

1. Log in to the administrator portal.
2. On the top navigation bar, choose Resources > Applications.
3. Click Add Custom Application in the Custom Applications section, set the logo and application name, and click Save.

Configuring the Application

Configure the application in OneAccess so that users can log in to it through OneAccess, including authentication configuration, mapping configuration, and user authorization.

• Authentication configuration
  1. Click the application added in Adding an Application and click the application icon on the application information page.
  2. In the General Information area, click next to Authentication to enable authentication, select CAS, and click Save.
     

     The protocol cannot be changed once specified.

     Figure 1 Selecting an authentication protocol
     
  3. In the General Information area, click Configure next to Authentication to access the CAS configuration page.
     

     To avoid information leakage, do not include sensitive information in the configuration parameters.

     Figure 2 Configuring authentication parameters
     

     Table 1 Authentication parameters

     Parameter	Description
     Callback URL	(Required) Third-party application URL, which must be the same as the value of service for the CAS interface and meet the URL format requirements of RFC.
     Logout URL	(Optional) Logout URL to be visited after a user logs out of their session.

• Mappings

  On the Authentication Settings page, click the Mappings tab, and click Add Mapping to add an attribute mapping.

  Figure 3 Adding a mapping
  

  Table 2 Mapping parameters

  Parameter	Description
  Application Attribute	(Required) User attribute that OneAccess will return to the application after successful authentication.
  Mapping Type	(Required) The mapping type determines the returned attribute value.

• User authorization

  In the left pane, choose Authorization > Application Accounts. Then click the button for adding accounts to authorize specific users to access the application. To authorize access using a policy, see the descriptions about the application account authorization policy in Configuring an Application.

  

  For details about how to configure login, access control, and object models, see Configuring an Application.

Establishing a Trust Between the Application and OneAccess

Configure authorization information for OneAccess in the application to establish a trust on OneAccess.

1. Obtain the authentication information in OneAccess.
   1. Log in to the administrator portal.
   2. In the top navigation pane, choose Settings > Service Settings.
   3. Click CAS.
   4. On the CAS page, view the authentication address.

      

      Table 3 Configuration parameters

      Parameter	Description
      Server Prefix	Prefix of the CAS server URL. The prefix is automatically generated and cannot be changed.
      Login URL	Request authorization URL of the CAS server. The URL is automatically generated and cannot be changed.
      Validate URL V3	The value is generated by the system and cannot be modified. URL for verifying tickets. V3 URL is recommended.
      Logout URL	The value is generated by the system and cannot be modified. URL for logging out of the CAS service.
      ST Validity Period	Validity period of a returned ST. Set a validity period from 3 to 15 minutes.

2. Obtain the authorization information of the application. For details, see the application provider's documentation.

Logging In as a User

Log in to the user portal as one of the authorized users, and click the target application to check whether you can access it.