How CAS implements SSO single-point logon and how cassso is implemented

How CAS implements SSO single-point logon and how cassso is implemented

Security:

Users only need to enter the user name and password in cas, and then bind the user through ticket. The cas client verifies the user through ticket and does not transmit the password online, so security can be ensured, password is not stolen

Principle: 1 cookie + N sessions

CAS creates cookies when logging on to all applications. Each application creates its own session in IE to identify whether the application has logged on.

Cookie: used when cas is used to log on to various applications, so that only one user password is required.

Session: each application creates its own session to indicate whether to log on.

Login

1. Process CAS Logon:

Step 1: cas add cookie (TGC) to the browser)

CAS sends a so-called "memory cookie" to the browser ". This cookie is not actually stored in the memory, but automatically expired as soon as the browser is closed. This cookie is called "ticket-granting cookie", which indicates that the user has successfully logged on.

This Cookie is an encrypted Cookie that stores user login information. Used to log on to other application clients in the future.

Step 2: cas simultaneously creates a ticket to redirect to the original cas Client

After successful authentication, the CAS server creates a long, randomly generated String called "Ticket ". CAS then associates the ticket with the successfully logged-on user and the service. This ticket is a one-time credential, which is used only once for successfully logged-on users and their services. Expired immediately after use.

2. Cas client applicationAProcessing

Step 1: Submit the verification ticket to cas after receiving the ticket

Cas ClientAfter receiving the ticket, the application needs to verify the ticket. This is achieved by passing ticket to a validation URL. The verification URL is also provided by the CAS server. CAS obtains ticket through the verification path and determines it through the internal database. If it is determined to be valid, a NetID is returned to the application. CAS then voided ticket and left a cookie on the client. (Who will create a cookie ?),

Step 2: Create a session after ticket Authentication

No ticket is available when you log on to this application later, but IE can provide a session to obtain casreceept from the session, and verify that if the application has been authenticated, access to this application is allowed,

So far, CAS records that the user has logged on to application

3. log on to the applicationBHow to handle

When you enter application B, the user will first redirect to the CAS server. However, the CAS server does not require the user to enter the user name and password. Instead, it automatically searches for cookies and logs on based on the information saved in the cookies. CAS also redirects application B to cas for verification (the process is the same as that of application A for verification). If the verification succeeds, application B creates the session record casreceipinformation to the session, log on to application B with this session later.

So far, CAS records that the user has logged on to application A and application B. However, when the user logs out of cas on application B, application A should be notified to log out, how can I notify app?

Logout　　　

After CAS server accepts the request, it detects the user's TCG Cookie, clears the corresponding session, and finds all the application server URLs that are logged on through the TGC sso to submit the request, all callback requests contain the logoutRequest parameter in the following format:

<Samlp: LogoutRequest ID = "[random id]" Version = "2.0" IssueInstant = "[current date/TIME]">
<Saml: NameID> @ NOT_USED @ </saml: NameID>
<Samlp: SessionIndex> [session identifier] </samlp: SessionIndex>
</Samlp: LogoutRequest>

All application servers that receive the request will parse this parameter and obtain the sessionId. After obtaining the session Id, the session will be deleted.
In this way, the single-point logout function is implemented.
 

Client implementation:

First, you must add the following configuration to implement single sign out in web. xml on the application side of the application Server:

<Filter>
<Filter-name> CAS Single Sign Out Filter </filter-name>
<Filter-class> org. jasig. cas. client. session. SingleSignOutFilter </filter-class>
</Filter>

<Filter-mapping>
<Filter-name> CAS Single Sign Out Filter </filter-name>
<Url-pattern>/* </url-pattern>
</Filter-mapping>

<Listener>
<Listener-class> org. jasig. cas. client. session. SingleSignOutHttpSessionListener </listener-class>
</Listener>

NOTE: If CAS client Filter is configured, the CAS Single Sign Out Filter must be placed before the CAS client Filter.

The configuration part aims to implement session clarity when CAS server calls back all applications for single-point logout.

 

 On the server side, applications that have been logged on will be saved on the server side. Therefore, the server separately clears sessions for each application by sending http requests.

After reading the following browser cookie changes, we will have a deeper understanding of cas.

Download httpwatch to monitor cookie changes

Client message process

1. First VisitHttp: // localhost: 8080/,

CLIENT: no ticket and no message in the SESSION.

CAS: users are required to log on if TGC is not available.

2. Jump back after successful authentication

CAS: generate the ST through TGT and send it to the client. The client saves the TGC and redirectsHttp: // localhost: 8080/

CLIENT: Only CAS verification tickets are sent to the backend without a ticket (this process cannot be seen in the browser)

3. First VisitHttp: // localhost: 8080/B

CLIENT: no ticket and no message in the SESSION.

CAS: extracts the TGC from the client. If the TGC is valid, it is sent to the user ST and verified in the background for SSO. [How can I notify other systems to update the SESSION information when a logon or logout fails ?? This. services. put (id, service) in the TicketGrantingTicketImpl grantServiceTicket method; it can be seen that the CAS side has recorded the current login subsystem]

4. Access againHttp: // localhost: 8080/

CLIENT: No ticket, but there is a message in the SESSION, so no jump or CAS authentication ticket is required, allowing users to access

Who has simple SSO implementation code (preferably using struts1 or JSP + Servlet )?

Www.51aspx.com/CV/SSO/
This mainly uses asp.net
Lightweight Single Sign-on system source code
Implementation principle:
Use the <script type = "text/javascript" src = "localhost: 7771 /... portal "> </script>: remotely call the script on the Single Sign-on system to obtain the encrypted user logon ticket information and automatically bind it to the corresponding fields in the current form, and automatically submitted to the background. The background decrypts the user logon ticket information submitted by the foreground to determine whether the user has successfully logged on to the single-point logon system. If the user has logged on to the system home page, if the user has not logged on to the system, go to the Single Sign-on system logon page. Use DES to encrypt user login ticket information. Different application systems use different keys.
Development Environment (VS2008 + Eclipse3.2)
The Lightweight Single Sign-on system solution includes the following items:
1. Public component SSOLab. SSOServer. Components
2. Single Sign-on system SSOLab. SSOServer. WebApp
3. Demonstration of the Enterprise Portal System SSOLab. Portal. WebApp
4. Demonstration of SSOLab. APP1. WebApp in the Human Resource Management System
5. Financial Management System demonstration SSOLab. APP2. WebApp
Reference: 51 Aspx

One OA system has enabled CAS single-point logon. How can I add the HR system?

Zhiyuan collaborated with the OA system for excellent security and well-designed and standardized security. The price is reasonable, and the after-sales service is even better. In addition, it is developed using J2EE, And the development platform itself has high security and stability. In addition, his permissions are controlled to every functional menu, button, and file, which is very meticulous and cannot be seen without permissions. Zhiyuan uses automatic data backup to ensure stable and reliable performance. Centralized data access control prevents data leakage. Provides data backup tools to protect system data security, implement multi-level permission control, complete password verification and logon verification mechanisms, and powerful system logs and geographic location tracking functions to enhance system security. The USB User KEY Secure Login solution provided by Zhiyuan OA significantly improves the login security. Even if the password is leaked, the user identity cannot be impersonated. Zhiyuan OA's built-in online editing component for Office documents can effectively improve the security of classified documents. Zhiyuan OA's built-in workflow form handwritten signature component ensures the security of the workflow form data transmission process. In the Internet era, software product Update Services are particularly important. OA provides a complete software upgrade system, allowing users to quickly obtain software updates through the user service area. Technical staff often solve the problem and provide update programs within several minutes of discovering the error report.