This month I have come across the world of Central Authenticated servers (CAS)
It does seem to be a bit of ‘deja vu’ because I did a bit of work on using Ford’s Single Sign-On when I worked at Jaguar-Land Rover back in 2005. And I have suddenly noticed how many times I login to different applications during the day! Yes and it’s ‘TOO MANY TIMES’.
Anyway what is CAS?
It’s open source single sign-on for the web, that’s open source software that implements single sign-on.
Before I dicuss Single Sign-On, what’s the alternate? i.e. what do we do at present?
That would be ‘Multi-Sign-On’:
This is where we authenticate each application using their own login with their own credentials, separate usernames/passwords.
This scenario is improved by having a central store of usernames/ passwords . This is what’s done at UoN, which uses ldap as a central store. (There is more than one ldap at UoN but that’s a different story).
Of course this does provide the user some convenience in using the same central authentication store each time but each application touches the user’s password.
This presents the situation where only one application has to be compromised to yield passwords that could be used to access all other applications.
CAS is used to delegate the authentication for each application to a single-sign-on where only the CAS server needs the username / password.
End user applications no longer touch the password, so the security is more robust.
So CAS act’s as a single sign-on broker between the applications and the existing ldap server, in our case we are using International ldap (ildap)
The first CAS installation only provides a sign-on ticket but no other ldap data that could be used for fine tuning the application’s access control. In the GEMS case, it needs to know if the user is a staff member so we have to call on ildap again to interrogate the employeeType attribute.
Anyway progress hasn’t been all plain sailing and the first Casified application is not ready for launch, but I’m sure we can all look forward to CAS taking over the University authentication in the not too distant future.
