Configuring a CAS Authentication Provider

Introduction

CAS is an HTTP2- and HTTP3-based protocol which requires that each component be accessed through a specific URL. You can configure OneAccess as a service provider using the CAS protocol to enable user accounts of third-party applications to access OneAccess. CAS 1.0, CAS 2.0, and CAS 3.0 are supported.

The CAS protocol involves two entities: CAS client and CAS server. They exchange information through users' browsers. For example, a CAS client returns a redirect message containing parameters and forwards the message to the CAS server. If the login authentication is successful, the CAS server returns an XML response containing the user information to the CAS client. After authenticating the user information, the CAS client returns the requested resource to the user.

• CAS client: resource provider, for example, third-party applications.
• CAS server: identity authentication provider. For example, OneAccess can be considered as an identity authentication provider.

OneAccess allows you to configure the CAS protocol as the authentication provider. You can use the CAS protocol to log in to each application system and implement single sign-on (SSO) between application systems, providing simpler and more convenient login modes and better user experience for enterprise users.

Prerequisite

You have permissions to access the administrator portal.

Establishing a Trust Between the Application and OneAccess

Configure authorization information for OneAccess in the application to establish a trust on OneAccess.

1. Obtain the authentication information in OneAccess.
   1. Log in to the administrator portal.
   2. On the top navigation bar, choose Settings > Service Settings.
   3. Click CAS.
   4. On the CAS page, view the authentication address.
      Figure 1 Viewing CAS configurations
      

      Table 1 Configuration parameters

      Parameter	Description
      Server Prefix	The value is automatically generated by the system and cannot be modified. Prefix of the CAS service address.
      Login URL	The value is automatically generated by the system and cannot be modified. Login URL of the CAS service.
      Validate URL V3	The value is automatically generated by the system and cannot be modified. URL used to validate tickets. The V3 address is recommended.
      Logout URL	The value is automatically generated by the system and cannot be modified. URL for logging out of the CAS service.
      ST Validity Period	Validity period of a returned ST. Set a validity period from 3 to 15 minutes.

2. Obtain the service address in OneAccess. For details, see Table 2.
3. Configure the preceding information in the application. For details, see the application provider's documentation.
4. Obtain the authorization information of the application. For details, see the application provider's documentation.

Adding a CAS Authentication Provider

Add a CAS authentication provider and configure the application information in OneAccess.

1. Log in to the administrator portal.
2. On the top navigation bar, choose Authentication > Authentication Providers.
3. Choose Enterprise Authentication Providers > CAS.
4. On the CAS Authentication Providers page, click Add Authentication Provider in the upper right corner and set the parameters required.

   

   Table 2 Configuration parameters

   Parameter	Mandatory	Description
   Icon	No	Upload a PNG, JPG, or GIF image whose size does not exceed 50 KB. The recommended size is 32 x 32 pixels.
   Display Name	Yes	Custom display name of the authentication provider, for example, CAS.
   Login Address	Yes	Login URL of the application, which must start with http or https. For example, https://xxx.xxx.xxx/login.
   Logout Address	Yes	Logout URL of the application, which must start with http or https. For example, https://xxx.xxx.xxx/logout.
   Validation Address	Yes	Validation address of the application, which must start with http or https. The validation address varies depending on the protocol version. The verification address of CAS 1.0 is https://xxx.xxx.xxx/validate. For details, see Verifying Tickets (CAS 1.0). The verification address of CAS 2.0 is https://xxx.xxx.xxx/serviceValidate. For details, see Verifying Tickets (CAS 2.0). The verification address of CAS 3.0 is https://xxx.xxx.xxx/p3/serviceValidate. For details, see Verifying Tickets (CAS 3.0).
   Request Type	Yes	HTTP request initiation mode. The options include GET and POST.
   Server Address	Yes	The value is generated by the system and cannot be modified. You can obtain this value when configuring the application.
   CAS Protocol Version	Yes	Protocol version supported by the application. CAS 1.0 and CAS 2.0 do not support the transfer of user attribute values.
   Authentication Provider Attribute	Yes	User attribute returned upon successful authentication by the CAS server. This attribute must be the same as that of the application.
   Related User Attribute	Yes	OneAccess user attribute that maps the user attribute of the CAS authentication provider. For example, userName.
   No User Associated	Yes	Operation that will be performed if a user successfully logs in through CAS authentication but fails to be associated with a system user.

   To map other attributes, such as email, set No User Associated to Automatically create users, and click Add Mapping. For details, see Table 3.

   Table 3 Mapping parameters

   Parameter	Description
   User Attribute	Attribute in OneAccess that maps to the CAS application. For example, mobile.
   Mapping Type	Mode of user attribute mapping between OneAccess and the CAS application. NOTE: If Mapping Type is set to Authentication Provider Attribute, Source Attribute is required. If Mapping Type is set to Fixed Attribute Value, Fixed Attribute Value is required. If Mapping Type is set to Script-based, Script is required.