Secure Purdue Information Technology

CAS Information

Introduction

The Identity and Access Management Office (IAMO) offers a web single sign-on service, using the Central Authentication Service (CAS). IAMO is running CAS version 3.5.3 as of 8/2/2015. Implementing CAS 4.x is currently targeted for early 2016.

Since CAS 4.x is now the official release branch, CAS 3.x information is a little harder to find. You may be able to find some useful information from the Central Authentication Service website.

Please also see the IAMO homepage for an overview of all of the IAMO web authentication offerings. To request CAS services, complete Single Sign-on Request Form.

Benefits of Using CAS vs. I2A2 For Web Authentication

Many web servers on campus already use I2A2 for Purdue Career Account authentication, so why use the CAS service? (Many thanks to the folks in the College of Science for creating the following list of benefits.)

  • Better password security — CAS mitigates the risk of compromising passwords by deferring the handling of Purdue Career Account passwords to the CAS server, instead of having each I2A2-enabled web server collecting credentials on its own login page and passing them to the I2A2 server.
  • More consistent user authentication experience - Every web application using CAS utilizes the same login screen from the same url, which reassures users and obviates the need for each individual web application to maintain its own login screen. Here is what the Jasig Central Authentication Service screen looks like at Purdue.
  • Provides single sign on — Potentially unifies Purdue's web applications by providing a single sign on. Once a user has authenticated to CAS once, they do not have to re-enter their username/password for each CASified web application.
  • Saves staff resources — It is easy for a web developer or system administrator to integrate CAS into an application or web server. No separate authentication mechanism and login page need be created and maintained.
  • Great compatibility — Multiple client libraries and web server modules/filters are available.
  • Open source — CAS is not Purdue specific; this means there is a larger support environment.
  • Easily extendible — Allows web servers to immediately take advantage of additional authentication methods. For example, tokens can be used with CAS.
  • Better user support — CAS allows for centralized Purdue Career Account authentication assistance, available via the ITaP Customer Service Center.

Authorization and CAS Server Versions

The Purdue CAS server deployment passes back the Career Account login of the authenticated user to the CAS client. However, it is good practice to use the PUID instead of login as a key in application databases. To support an application obtaining the PUID, name and I2A2 characteristics for the authenticated login, the IAMO provides several options to map a login to puid/name/characteristics, in order of preference:

  • attributes from the CAS server via a serviceValidate CAS ticket check
  • attributes from the CAS server via a samlValidate CAS ticket check
  • IAMO Ldap interface
  • IAMO web service interface

We have a test page available to help demonstrate the attribute names and format available.

Requesting WSLDAP Authentication Services

To obtain access to the Purdue IAMO LDAP server, you will first need to complete the WSLDAP Request Form.

Installing and Configuring CAS in Your Web Server (Information for Server Administrators)

Lots of information can be found on the CAS Client Home Page. You can easily CASify any WAR in Tomcat, see the Java client page for details. CASifying Apache applications has been done with mod_auth_cas, although some have used mod_perl with the Perl client or phpCAS to avoid dealing with compiling mod_auth_cas.

BoilerWeb April 2011 CAS Presentation

Here are the CAS presentation slides.

Purdue's Production CAS Server urls:

   loginUrl: https://www.purdue.edu/apps/account/cas/login
validateUrl: https://www.purdue.edu/apps/account/cas/serviceValidate
          or https://www.purdue.edu/apps/account/cas/samlValidate
  logoutUrl: https://www.purdue.edu/apps/account/cas/logout

CAS Token Support

The Purdue CAS server now supports authenticating with the Purdue token. 

QUESTIONS?

Please contact accounts@purdue.edu.

Contact Us