Introducing the Central Authentication Service (CAS) Shawn Bayern Research programmer, ITS Technology & Planning Author, Web Development with JavaServer Pages JSTL implementation lead (JCP, Apache)
Current CAS users Network registration tool (Netreg) Used by thousands of students, mostly during the first two weeks of the academic year AM&T applications software distribution Pantheon account tool internal support applications Workstation support services and machines Undergraduate groups YaleStation Yale Herald RIS file transfer services, MyOracle and others
Questions to answer What does CAS do? How does it work? How can you use it? What’s on the horizon?
Features and advantages Web single sign-on Convenience Centralized authentication policy Easier to maintain in enterprise Gets users used to single site for logging in Applications don’t handle sensitive passwords
CAS in a nutshell Browser Web application Authenticates without sending password Authenticates via password (once) Determines validity of user’s claimed authentication
What CAS looks like Users can be asked to avoid supplying password except to trusted site. Expected URL Known “look and feel” Authentic peer certificate (if anyone cares)
How CAS actually works Web application CAS Web browser S C ST ST NetID
How to use CAS in a web application Replaces Kauth and similar mechanisms Used as "gate" for application Applications need to do two things Redirect Request/response with HTTPS URL Therefore, CAS works with most platforms. T&P provides libraries for Java, JSP, & Perl... and can assist with ASP, PHP, etc
Examples JSP tag Simply add the following to every JSP page: Java (e.g., Servlets) public String validate( String ticket, String service); (Returns authenticated NetID)
CAS’s future Broader adoption CAS becomes standard ITS authentication mechanism Load testing CAS 2.0 Portals and proxies New, requested features: Prevents brute-force password guessing Lets applications avoid single sign-on Ensures redundancy and availability