Connect to the Purdue Home Page

Purdue University

Identity and Access Management

Purdue CAS Information

Summer 2011 CAS Server Upgrade

On May 11 2011, the Identity and Access Management Office will upgrade the Central Authentication Service (CAS) from version 3.3.2 to 3.4.6. The production CAS url https://www.purdue.edu/apps/account/cas will not change, just the code behind the url. The 3.4.6 version is completely backwards compatible with the 3.3.2 version, and uses the same CAS protocol, so you should not need to update your CAS client. However, we recommend that you consider verifying your current applications against the 3.4.6 version. The 3.4.6 version that will be installed on May 11 2011 is now available on our QA tier at https://webservices-test.itns.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6. The 3.4.6 version includes puid, name, and I2A2 characteristic information along with a successful serviceValidate CAS ticket check. If you discover any issues with the new version, please contact us at accounts@purdue.edu for assistance.

BoilerWeb April 2011 CAS Presentation

The presentation slides can be found here.

Introduction

The Identity and Access Management Office (IAMO) offers a web single sign on service, using the Central Authentication Service (CAS) developed by Yale University and now maintained by JA-SIG under an open source license.

Benefits of using CAS vs. I2A2 For Web Authentication

Many web servers on campus already use I2A2 for Purdue Career Account authentication, so why use the CAS service? (Many thanks to the folks in the College of Science for creating the following list of benefits).

  • Better password security - CAS mitigates the risk of compromising passwords by deferring the handling of Purdue Career Account passwords to the CAS server, instead of having each I2A2 enabled web server collecting credentials on its own login page and passing them to the I2A2 server.
  • More consistent user authentication experience - Every web application using CAS utilizes the same login screen from the same url, which reassures users and obviates the need for each individual web application to maintain its own login screen. Here is what the screen looks like at Purdue.
  • Provides single sign on - Potentially unifies Purdue's web applications by providing a single sign-on. Once a user has authenticated to CAS once, they do not have to re-enter their username/password for each CASified web application.
  • Saves staff resources - It is easy for a web developer or system administrator to integrate CAS into an application or web server. No separate authentication mechanism and login page need be created and maintained.
  • Great compatibility - Multiple client libraries and web server modules/filters are available.
  • Open source - CAS is not Purdue specific; this means there is a larger support environment.
  • Easily extendible - Allows web servers to immediately take advantage of additional authentication methods. For example, the IAMO hopes to offer RSA Token authentication via CAS in the future.
  • Better user support - CAS allows for centralized Purdue Career Account authentication assistance, available via the ITaP Customer Service Center.

Authorization and CAS Server Versions

The Purdue CAS server deployment passes back the Career Account login of the authenticated user to the CAS client. However, it is good practice to use puid instead of login as a key in application databases. To support an application obtaining the puid, name and I2A2 characteristics for the authenticated login, the IAMO provides several options to map a login to puid/name/characteristics, in order of preference:

  • attributes from the CAS server via a serviceValidate CAS ticket check
  • attributes from the CAS server via a samlValidate CAS ticket check
  • IAMO Ldap interface
  • IAMO web service interface
We have a test page available here to help demonstrate the attribute names and format available with the new CAS 3.4.6 server.

Requesting CAS Access

To obtain access to the Purdue IAMO CAS Server, you will first need to fill out a Service Level Agreement (SLA) between your group and the IAMO. Please fill out section VII Client Definitions: section A, VIII Signatures: section A and IX Appendix A: sections A, B, C D and E. Once you have this filled out, forward the hard copy to: IAMO Director / ITAP / ROSS. Please allow 3-5 business days for processing.

Installing and Configuring CAS in your web server (information for server administrators)

Lots of information can be found on the CAS Client Home Page. You can easily CASify any WAR in Tomcat, see the Java client page for details. CASifying Apache applications has been done with mod_auth_cas, although some have used mod_perl with the Perl client or phpCAS to avoid dealing with compiling mod_auth_cas.

Purdue's Production CAS Server urls:

(version 3.3.2 prior to May 11 2011, version 3.4.6 starting May 11 2011):
   loginUrl: https://www.purdue.edu/apps/account/cas/login
validateUrl: https://www.purdue.edu/apps/account/cas/serviceValidate
          or https://www.purdue.edu/apps/account/cas/samlValidate
  logoutUrl: https://www.purdue.edu/apps/account/cas/logout
        

Your web server ip address(es) will need to be authorized for access to the serviceValidate/samlValidate urls, which we will do as part of processing the SLA.

CAS BoilerKey support

The Purdue CAS server now supports authenticating with the Purdue BoilerKey. Please see the CAS BoilerKey configuration page for more information.

Questions

Please contact accounts@purdue.edu.

Feedback | Contact Purdue | Style Standards
Maintained by: IAMO Team

Purdue University, West Lafayette, IN 47907, (765) 494-4600
© 2010 - 2013 Purdue University | An equal access/equal opportunity university | Copyright Complaints
If you have trouble accessing this page because of a disability, please contact the CSC at itap@purdue.edu or (765) 494-4000.