Jasig Central Authentication Service: tickets for the tubes

I’ve been recently fiddling with Jasig’s CAS, an outstanding product which allows organizations to seamlessly centralize their login procedures and deploy single sign-on for the web. I call this Kerberos for the Inteet, since the authorization is ticket-based (just as in Kerberos) but you don’t need to expose your KDC to the Inteet or make assumptions on your user’s operating system setup.

Let’s assume you have several existing applications running in an Apache webserver. Let them be Tomcat-contained applications using mod_jk, Ruby, Python or Perl applications using either FastCGI, the mod_* preprocessors or the plethora of app-executing environments available for other programming languages. You don’t need to modify (or, as we call it, CASify) your applications to deploy centralized, controlled, single-sign-on authentication.

Since CAS only provides authentication (and not authorization, that is, it won’t grant users roles or permissions, and that makes sense since CAS is not aware of application capabilities) you only need to trust in the Web server’s REMOTE_USER HTTP variable. Of course, there’s a mod_auth_cas around for Apache which allows you to protect any part of your application with CAS. Or better yet, CAS-enable any part of your application. Talk about powerful.

Of course, you can always CASify your application by using libraries for your specific programming language which gets the ticket granting ticket and requests other tickets to CAS. In some cases, I even assume that’s the only available scenario, since inferior Web servers such as IIS might not have feasible solutions for the enterprise user.

Authentication is handled using authentication backends. Right, you weren’t expecting CAS to handle users and passwords in-memory. I’m using LDAP with OpenLDAP (of course) but RADIUS, JDBC (that is, any SQL database), X.509 client certs (fully passwordless solution, if you want to) and even SPNEGO for Kerberos are available and distributed among CAS. You’ll still need to build then using Maven but that’s not a problem (though Maven seems like an awkward build manager) and configuration is handled in detail on the Wiki.

Specially when compared with Shibboleth, which is the other big open source single sign-on player, CAS provides an enterprise-grade, robust, straightforward and easy to deploy solution to single sign-on for Web applications on the Inteet. Go get it!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s