1. Concept
Single Sign On (SSO) is one of the most popular solutions for enterprise business integration. SSO enables, you only need to log on once to access all mutually trusted application systems. CAS (Central Authentication Service) is a good single sign-on Framework for Web applications.
1. CAS
CAS (Central Authentication Service) is a good single sign-on Framework for Web applications.
(1) Principles and protocols
CAS includes two parts: CAS server and CAS client.
CAS servers must be deployed independently and are mainly responsible for user authentication;
The CAS client is responsible for processing access requests to the protected resources of the client. When you need to log on, redirect to the CAS server.
CAS client and protected client applications are deployed together to protect protected resources in filter mode. For each Web request that accesses protected resources, the CAS client analyzes whether the HTTP request contains service ticket. If not, the current user has not logged on, therefore, the request is redirected to the specified CAS server logon address, and the service (that is, the destination resource address to be accessed) is passed so that the address can be returned after successful logon. The user enters the authentication information in step 1. If the login succeeds, the CAS server randomly generates a fairly long, unique, and unfalsified service ticket, and caches it for future verification, then the system automatically redirects to the service address and sets a ticket granted cookie (TGC) for the client browser. After the CAS client obtains the service and the newly generated ticket, in step 5 and 6, perform proper identity with the CAS server to ensure the validity of the service ticket.
In this Protocol, all interactions with CAS adopt the SSL protocol to ensure the security of ST and TGC. There will be two redirection processes during the Protocol work, but the process of ticket verification between CAS client and CAS server is transparent to users.
In addition, the CAS Protocol also provides the proxy mode to adapt to more advanced and complex application scenarios. For details, refer to the relevant documents on the Official CAS website.
(2) Basic protocol 2. LDAP
LDAP (Lightweight Directory Access Protocol, Lightweight Directory Access Protocol) is an information service that provides a directory service. Directory Service is a special database system, which is specially optimized for reading, browsing, and searching operations. Directories are generally used to contain descriptive, attribute-based information and support fine and complex filtering capabilities. Directories generally do not support complex transaction management or roll-back policies required by General databases for a large number of update operations. Directory Service updates are generally very simple. This directory can store various information such as personal information, web links, and JPEG images. To access the information stored in the directory, you need to use the access protocol-LDAP running on TCP/IP.
Single Sign-on integrated solution