Skip to main content

CAS architecture

Introduction

The CAS is a Single Sign On protocol for the web. This protocol allows users to access multiple applications by providing their credentials.

Single Log-in

The single log-in is usually initiated by the application server. The typical UML use case is as follows:


Description

1. The user’s browser tries to get a web page from the service providers.

2. The service provider wants to authenticate the user identity. To get this, builds an AuthenticationRequest document. It is an XML document that includes the server name and time and date. This XML document is signed using its private key and optionally encrypted using the identity provider public key. Both keys are published by the federation metadata server.

3. The service provider generates an HTML page that automatically posts the AuthenticationRequest document to the identity provider.

4. The AuthenticationRequest is received by the identity provider. At this point, the identity provider verifies it is correct and safe.

Next, the identity providers checks if the user browser does have an active SSO session. In such a case, skip to step 6.

5. The identity providers ask for credentials to the user.

6. The user enters its credentials. At this time, the identity provider verifies the user name and password are correct, and creates a new SSO session.

7. The identity provider sends a SAML assertion to the service provider. This assertion is signed using its private key and optionally encrypted using the service provider public key. The SAML assertion contains some user attributes. The included attributes and its value can vary depending on the service provider that will receive it. 
As previously seen in the authentication request, the assertion is always sent through the user’s browser.

8. The service provider receives the SAML assertions, decrypts and verifies it, obtaining all the user attributes.

Single Log-out

The single log-out process follows the next UML diagram:



image-1661327423181.png

Description

1. The

user

Proxy requestsweb toflow logdiagram

out from the application. At this point, the application (service provider) can give the user the chance to log out from any other application.

2.image-1661327695882.png

The service provider issues a global SAML logout request to the identity provider. The SAML logout request includes the user or session id. It is signed using its private key and optionally encrypted with the identity provider public key.

Description

3.1. The identity provider sends a SOAP SAML logout request to any service provider with active sessions for this user. These logout requests are almost identical to the one sent from the service provider to the identity provider, but it is sent using SOAP rather than an HTTP URL.

4. After closing any active session, the user is informed about the logout progress, or optionally redirected to a farewell web page specified by the service provider.


The logout request must be signed, it is not mandatory to the login request.

 

https://en.wikipedia.org/wiki/Central_Authentication_Service


Back to top