CAS Single sign-on cobwebs--"SSO"

First, what is CAS?

Cas=central Authentication Service, central authentication Services, an independent start instruction protocol. CAS is an open source project launched by Yale University, which aims to provide a reliable single sign-on approach to Web application systems.

Ii. What the CAS consists of

CAS consists of two parts: CAS client and CAS Server.

　　CAS client: Responsible for handling access requests to client-protected resources

CAS Server: Requires independent deployment and is primarily responsible for authenticating users.

CAs contains tgt st , PGT , pgtiou , pt Five notes information, in the Itoo project, we mainly use the TGT, St notes, TGC Cookies.

Tgt:ticket grangting Ticket, which mainly encapsulates the user information corresponding to the cookie value and the cookie value.

St:service Ticket is a ticket issued by CAs to access a Service, primarily for users.

Tgc:ticket-granting cookies, which are cookies that store user authentication credentials, are used when communicating between the browser and the CAS server and can only be based on secure channel Transport (HTTPS), which is the credential that CAS server uses to identify the user.

Three, CAS working principle

background: The user first access the system, once logged in the rights system, you can access the underlying system, no need to log in again.

User access and Logon success:

1. Terminal access System, enter the access rights system URL

2,3. Since there is no St information at the beginning of the terminal, the browser automatically redirects to the CAS server side.

4. Because the CAS server side does not have TGT information, the address redirects to the landing page again, enter the user name and password

5. Write a cookie to form TGC to the Terminal browser and pass St to the terminal while generating the TGT to the CAS server side

6. Re-access the system and carry St

7. Go to the CAS server side to verify the St again, verify success

8. Save the build user object to the page

The user continues to access the underlying system without having to log in again:

1. Enter the base system URL, the terminal local no ST information

2,3.CAs client primarily protects protected resources through filter redirection to CAS Server

4.CAS issuing notes St to browser based on local TGT

5. The browser accesses the underlying system again, carrying St

6. go to CAS service again to verify that the authentication is successful and the underlying system can be accessed without logging in.

Iv. Summary

CAS compared to our previous login, in addition to the user name and password authentication, there is a login unique identity-ticket verification. CAS let login become more secure, users in different systems may use different roles, with a single sign-on, only need a user name, password, you can more than one system between the unimpeded. CAS is actually very simple, the user information generation TGT,TGT release St, the middle of the less step, from the lack of steps on the previous step again to be good.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

CAS Single sign-on cobwebs--"SSO"