Transcript
8/12/2019 Cas Presentation 20110407
1/19
8/12/2019 Cas Presentation 20110407
2/19
8/12/2019 Cas Presentation 20110407
3/19
4/7/2011 Purdue University Identity and Access Management 3
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
6rowser
CAS ser#er
sam$lea$$
/) initial re7uest
-) redirect to CAS login $age with ser#ice;url5back5to5sam$lea$$5$age
0) re7uest CAS login $age
+) html for CAS login $age
) 'S% login and $assword
@) set CAS%9C cookie andredirect to sam$lea$$ with ticket;S%
8/12/2019 Cas Presentation 20110407
4/19
4/7/2011 Purdue University Identity and Access Management 4
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
Ste$ / initial re7uest
sam$lea$$" a$$lication ser#er is configured with a CAS client tore7uire authentication for certain urls (in this e=am$le test)
ser with browser accesses test on sam$lea$$
8f browser does not already ha#e session on sam$lea$$,sam$lea$$ transfers control to the CAS client
8f the CAS client does not see a ticket $arameter in the re7uest,user is redirected back to the CAS login $age withser#ice;url5to5return5to, in this e=am$lehtt$localhostB.B.sam$lea$$test
8/12/2019 Cas Presentation 20110407
5/19
4/7/2011 Purdue University Identity and Access Management 5
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
Ste$ - redirect to CAS login $age
ser is redirected back to CAS ser#er for authentication
A$$lication ser#er (sam$lea$$) logs
2011-03-29 09:16:46,843 DEBUG
[org.jasig.cas.client.authentication.AuthenticationFilter] - 2011-03-29 09:16:46,843 DEBUG[org.jasig.cas.client.authentication.AuthenticationFilter] - 2011-03-29 09:16:46,844 DEBUG[org.jasig.cas.client.authentication.AuthenticationFilter] -
application server access log:0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:46 -0400] "GET /sampleapp/test/ HTTP/1.1"302 -
8/12/2019 Cas Presentation 20110407
6/19
4/7/2011 Purdue University Identity and Access Management 6
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
Ste$ 0 browser re7uests CAS login $age
CAS ser#er checks for its CAS%9C cookie (ticket grantingticket), if itDs there, user is already authenticated #ia CAS, ski$ toste$ @ and redirect back to sam$lea$$ with a ser#ice ticket
8f no CAS%9C is $resent, ser#e browser the CAS login $age CAS ser#er access log
0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:47 -0400] "GET /cas-server-uber-webapp-3.4.6/login?service=http%3A%2F%2Flocalhost%3A8080%2Fsampleapp%2Ftest%2F HTTP/1.1"200 6935
8/12/2019 Cas Presentation 20110407
7/19
4/7/2011 Purdue University Identity and Access Management 7
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
Ste$ + CAS ser#er sends login $age to browser
%his is nice because a$$lication ser#ers do not need to
maintain their own login $age
maintain login$assword credentials to do the actual authentication
e#en see the $assword, itDs between the browser and CAS ser#er
8/12/2019 Cas Presentation 20110407
8/19
4/7/2011 Purdue University Identity and Access Management 8
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
Ste$ browser 'S%s login$assword to CASser#er
CAS ser#er checks login and $assword, if authentication failsser#e another login $age to browser
%oo many unsuccessful authentication attem$ts in a short $eriodof time will result in a lockout", where authentication will alwaysfail for a / minute lockout $eriod
CAS ser#er access log
0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:52 -0400] "POST /cas-server-uber-webapp-3.4.6/login?service=http%3A%2F%2Flocalhost%3A8080%2Fsampleapp%2Ftest%2F HTTP/1.1"
302 -
8/12/2019 Cas Presentation 20110407
9/19
4/7/2011 Purdue University Identity and Access Management 9
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
Ste$ @ CAS ser#er redirects back to a$$licationser#er
A ticket granting ticket %9%
8/12/2019 Cas Presentation 20110407
10/19
4/7/2011 Purdue University Identity and Access Management 10
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
Ste$ browser re
8/12/2019 Cas Presentation 20110407
11/19
4/7/2011 Purdue University Identity and Access Management 11
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
Ste$ B a$$lication ser#er checks CAS ser#iceticket sent by browser in url
CAS client $re$aring to check ser#ice ticket2011-03-29 09:16:52,231 DEBUG[org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] -2011-03-29 09:16:52,232 DEBUG[org.jasig.cas.client.validation.Cas20ServiceTicketValidator] -
CAS ser#er access log127.0.0.1 - - [29/Mar/2011:09:16:52 -0400] "GET /cas-server-uber-webapp-3.4.6/serviceValidate?ticket=ST-1-bdgbwHIReBonmaudvxJl-cas&service=http%3A%2F%2Flocalhost%3A8080%2Fsampleapp%2Ftest%2F HTTP/1.1" 200 281
8/12/2019 Cas Presentation 20110407
12/19
4/7/2011 Purdue University Identity and Access Management 12
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
Ste$ 1 CAS ser#er res$onds to ticket check
CAS ser#er res$onse (notice the EW attributes!)2011-03-29 09:16:52,327 DEBUG[org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - Gou can test this now yourself against the new CAS ser#er #ersion 0*+*@ (which
will become $roduction in 3ay -.//)https://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6/loginhttps://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6/serviceValidate
8/12/2019 Cas Presentation 20110407
13/19
4/7/2011 Purdue University Identity and Access Management 13
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
Ste$ /. a$$lication ser#er sends re7uested $age
Some CAS clients (including the &a#a CAS client) can beconfigured to redirect the browser to the same url, but withoutthe ticket $arameter
A$$lication ser#er access log0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:52 -0400] "GET /sampleapp/test/?ticket=ST-1-bdgbwHIReBonmaudvxJl-cas HTTP/1.1" 302 -0:0:0:0:0:0:0:1 - - [29/Mar/2011:09:16:52 -0400] "GET /sampleapp/test/ HTTP/1.1"200 202
8/12/2019 Cas Presentation 20110407
14/19
4/7/2011 Purdue University Identity and Access Management 14
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
&a#a CAS client
htt$swiki*4asig*orgdis$layCASCCASHClientHforH&a#aH0*/
're#ious e=am$le used #ersion 0*/*/.
Iooking at one CAS client will hel$ understand how any of them
will need configured Ee=t two slides show the web*=ml to configure the &a#a CAS
client for the $re#ious e=am$le
8/12/2019 Cas Presentation 20110407
15/19
4/7/2011 Purdue University Identity and Access Management 15
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
CAS Authentication Filter
org.jasig.cas.client.authentication.AuthenticationFilter
casServerLoginUrlhttps://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6/login
serverNamehttp://localhost:8080
CAS Validation Filterorg.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
casServerUrlPrefixhttps://www.purdue.edu/apps/account/cas-server-uber-webapp-3.4.6
serverNamehttp://localhost:8080
redirectAfterValidationtrue
exceptionOnValidationFailurefalse
8/12/2019 Cas Presentation 20110407
16/19
4/7/2011 Purdue University Identity and Access Management 16
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
Continued web*=ml for &a#a CAS clientconfiguration
CAS HttpServletRequest Wrapper Filterorg.jasig.cas.client.util.HttpServletRequestWrapperFilter
CAS Authentication Filter/test/*
CAS Validation Filter/test/*
CAS HttpServletRequest Wrapper Filter/test/*
8/12/2019 Cas Presentation 20110407
17/19
4/7/2011 Purdue University Identity and Access Management 17
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
CAS is not 4ust for web a$$lications
6rowsers hold CAS state with a cookie (called CAS%9C thatholds a CAS ticket granting ticket %9%), but any client, such asa mobile a$$, can obtain and store a %9%
See htt$swiki*4asig*orgdis$layCAS3:S%fulHA'8
=am$le
POST a username and password to https://CAS_SERVER_URL/v1/tickets(with Accept: text/plain as a header)
And if the login/password check out, the server sends back
201 Created
Location: https://CAS_SERVER_URL/v1/tickets/{TGT id}
If authentication fails, the server returns back a 400 code
8/12/2019 Cas Presentation 20110407
18/19
4/7/2011 Purdue University Identity and Access Management 18
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
8nitiati#es for later this year
Ability to use 6oilerkey for CAS authentication
8f 6oilerkey is used, CAS ser#er will e=$ose an e=tra attribute returnedby the ticket check that indicates that the authentication was a6oilerkey authentication
Se$arate mobile a$$ CAS login $age
A$$lication ser#er administrators will be able to manage CAS ticketcheck ser#er lists #ia web $age
Check for more at htt$swww*$urdue*edua$$saccountdocsCASCAS5information*4s$
https://www.purdue.edu/apps/account/IAMO/Purdue_CareerAccount_BoilerKey.jsp
8/12/2019 Cas Presentation 20110407
19/19
4/7/2011 Purdue University Identity and Access Management 19
A detailed walk through a CAS authentication
(and how to get your mits on the authenticated user)
%hanks for your attention!
Juestions?
'urdue 8dentity and Access 3anagement can bereached at accountsK$urdue*edu
'lease fill out an e#aluation athtt$www*ita$*$urdue*eduboilerwebsur#ey
top related