Mvc4 One-point login CAs Brief introduction

backgrounda few days ago wrote a blog net Single sign-on (SSO), but in this blog is done under the ASP., there is no problem, but after switching to MVC, the problem is one after another, then there is no way to think about it or someone else has written it, Do not use the things you write, one is unstable, and the other is a lot of defects! And then you start looking! Finally decided to use CAs to do! SSO Introduction

SSO English full name singlesign on, Single sign-on. SSO is a multi-application system in which users can access all trusted applications with only one login.

CAS = Centralauthentication service, central authentication services. CAS (central authentication Service) is a good single sign-on framework for WEB applications.

SSO has a lot of solutions, such as charging Utrust, HP smart, etc., open source has CAs, Smart SSO, etc., of which the most widely used is CAs.

Working principle

CAS is structurally two-part, CAS server is a Web application that needs to be deployed independently, and CAS client provides support for a very wide range of clients, which refers to various web applications in a single sign-on system, including Java,. Net, PHP, Perl, Apache, Uportal, Ruby and so on.

CAS Principles and protocols

CAS Server needs to be deployed independently, mainly responsible for the user's certification work;

The CAS client is responsible for processing access requests to the client's protected resources and redirecting to the CAS Server when it is required to log on. The diagram is the most basic protocol process for CAS:

The CAS client is deployed together with protected client applications to protect protected resources in a filter manner. For each WEB request that accesses a protected resource, CAS Client parses the request for an Http request that contains the service Ticket, which is issued by CAS server to identify the target service.

if not, the current user is not logged in, then redirects the request to the specified CAS Server login address and passes the Service (that is, the destination resource address to be accessed) so that the login succeeds back to the address. If there is, the current user is logged in and accesses the destination resource address directly.

The user enters the authentication information, if the login succeeds, CAS Server randomly generates a fairly long, unique, non-counterfeit Service Ticket, and caches it for future verification, then the system automatically redirects to the Service address and sets a Ticket for the client browser Granted Cookie (CAS session ID)

After the CAS Client gets the service and the newly created Ticket, it is in 5th, 6 steps with casserver to ensure the legitimacy of the service Ticket.

In this protocol, all interactions with CAS are SSL-based, ensuring the security of ST and TGC. There are 2 redirects during the protocol work process, but the process of Ticket authentication between CAs Client and CAS Server is transparent to the user.

In addition, the CAS protocol provides proxy mode to accommodate more advanced and complex application scenarios, with reference to the relevant documents on the CAS official website.

Mvc4 One-point login CAs Brief introduction