The Identity and Access Management Office (IAMO) offers a web single sign on service, using the Central Authentication Service (CAS). IAMO is running CAS version 3.5.3 as of 8/2/2015. Implementing CAS 4.x is currently targeted for early 2016.
Please also see here for an overview of all of the IAMO web authentication offerings.
Benefits of using CAS vs. I2A2 For Web Authentication
Many web servers on campus already use I2A2 for Purdue Career Account authentication, so why use the CAS service? (Many thanks to the folks in the College of Science for creating the following list of benefits).
- Better password security - CAS mitigates the risk of compromising passwords by deferring the handling of Purdue Career Account passwords to the CAS server, instead of having each I2A2 enabled web server collecting credentials on its own login page and passing them to the I2A2 server.
- More consistent user authentication experience - Every web application using CAS utilizes the same login screen from the same url, which reassures users and obviates the need for each individual web application to maintain its own login screen. Here is what the screen looks like at Purdue.
- Provides single sign on - Potentially unifies Purdue's web applications by providing a single sign-on. Once a user has authenticated to CAS once, they do not have to re-enter their username/password for each CASified web application.
- Saves staff resources - It is easy for a web developer or system administrator to integrate CAS into an application or web server. No separate authentication mechanism and login page need be created and maintained.
- Great compatibility - Multiple client libraries and web server modules/filters are available.
- Open source - CAS is not Purdue specific; this means there is a larger support environment.
- Easily extendible - Allows web servers to immediately take advantage of additional authentication methods. For example, BoilerKeys can be used with CAS.
- Better user support - CAS allows for centralized Purdue Career Account authentication assistance, available via the ITaP Customer Service Center.
Authorization and CAS Server Versions
The Purdue CAS server deployment passes back the Career Account login of the authenticated user to the CAS client. However, it is good practice to use puid instead of login as a key in application databases. To support an application obtaining the puid, name and I2A2 characteristics for the authenticated login, the IAMO provides several options to map a login to puid/name/characteristics, in order of preference:
- attributes from the CAS server via a serviceValidate CAS ticket check
- attributes from the CAS server via a samlValidate CAS ticket check
- IAMO Ldap interface
- IAMO web service interface
We have a test page available here to help demonstrate the attribute names and format available.
Requesting CAS Access
To obtain access to the Purdue IAMO CAS Server, you will first need to fill out a Service Level Agreement (SLA) between your group and the IAMO. Please complete the on-line Docusign form. Once completed, it will be routed for approvals. Please allow 3-5 business days for processing.
We have recently changed authorizing CAS service ticket checks from application server ip address to CAS service url. In fact so recent that our SLA hasn't quite caught up yet. The CAS service url is where the browser is redirected after successful CAS authentication (and shows up to the user at the top of the CAS login page as "You have asked to login to:". If the necessary CAS service url(s) aren't obvious from the SLA contents, we'll consult the technical contact on the SLA to get the applicable CAS service url(s). IAMO is developing a web application to submit SLAs and maintain CAS service urls, however no target date has been set yet for completion.
Installing and Configuring CAS in your web server (information for server administrators)
Lots of information can be found on the CAS Client Home Page. You can easily CASify any WAR in Tomcat, see the Java client page for details. CASifying Apache applications has been done with mod_auth_cas, although some have used mod_perl with the Perl client or phpCAS to avoid dealing with compiling mod_auth_cas.
BoilerWeb April 2011 CAS Presentation
The presentation slides can be found here.
Purdue's Production CAS Server urls:
loginUrl: https://www.purdue.edu/apps/account/cas/login validateUrl: https://www.purdue.edu/apps/account/cas/serviceValidate or https://www.purdue.edu/apps/account/cas/samlValidate logoutUrl: https://www.purdue.edu/apps/account/cas/logout
CAS BoilerKey support
The Purdue CAS server now supports authenticating with the Purdue BoilerKey. Please see the CAS BoilerKey configuration page for more information.
Please contact firstname.lastname@example.org.