CAS Overview
The Central Authentication Service (CAS) is an authentication service originally created by Yale University to provide a trusted way for an application to authenticate a user. CAS became a JA-SIG project in December 2004. It is used extensively at Texas A&M as a secure authentication mechanism. It also supports Web Initial SignOn and Single SignOn operations via the use of cookies shared between the browser and server.
The big advantage to a central authentication service such as CAS is it eliminates the need for application developers to manage user accounts. The developer can focus on the application instead of how to assign userids, store passwords and implement the various rules and regulations pertaining to logins. As deployed at Texas A&M, the CAS server enforces rules covering password strength, aging, history, and invalid login attempts. The passwords are securely stored in Kerberos and are never passed to and from the application. The developer never sees the password and will receive the CAS ticket only upon a successful login.
A central service also helps reduce redundancy and duplication of effort. Prior to the CAS deployment, each application had to include a customer account management module or service. Each time policies or procedures changed, every application had to be updated to reflect the change. A separate service, implemented independently of the application and callable via a defined protocol, centralizes the enforcement of account rules. It also allows rapid removal of services should an account need to be turned off quickly. Just disabling the account in the directory stops the customer from accessing all CAS-enabled applications.
Furthermore, for CAS deployment at Texas A&M, the response to a CAS login includes both the customer's NetID and UIN. Applications can now be developed using the UIN as a key for persisting data. NetID management is handled by CIS as part of its Directory Services application suite. Adding accounts, activating the NetID, deleting accounts when appropriate or blocking services due to expired passwords or failure to complete Security Awareness Training are all integrated in the CAS service.
An additional feature of CAS is a Single SignOn option. This is a very handy feature that helps to minimize the number of times a customer must enter their password to access an application. When a customer signs on via CAS, the CAS server stores a secure cookie in the browser and in memory on the CAS server. During the login process, these cookies are examined and verified. If the cookies are valid, the customer is logged in via the Single SignOn function and is not challenged again for their userid and password. If the cookies are not valid, a new session is created. Using this mechanism, a customer can log in to a CAS application in the morning and access a number of CAS-enabled applications throughout the day and never have to re-enter their login credentials. Not only is this convenient for the customer, but it improves security by minimizing the number of times the password is sent across the network.
CAS is a secure service in that all communication between the application and the CAS server is through SSL-encrypted connections. The connection between CAS and the LDAP directory are also encrypted. Finally, the bind to the directory is created using the customer's account, not a privileged userid. This confines the scope of the bind to a single LDAP entry. If a login credential is compromised, it affects a single account and does not expose the entire directory.
More Info
For more information on CAS, please reference the official site at: