CAS – Central Authentication Service

CAS Architecture

/login flow:

CAS Login Flow

CAS can be accessed through different URIs. The main URI is /login. When user types "" in the address bar of browser, cas checks if the Ticket-granting cookie already exist. If it exist, it checks the expiry date/time of the cookie and if it is not expired, a service ticket will be generated. If Ticket-granting cookie does not exist or if it is expired, then CAS prompt user for credentials by redirecting him to the login page containing login form.

User enters credentials, and clicks on submit. CAS gets the list of AuthenticationHandlers from the deployerConfigContext.xml file and checks if any of the AuthenticationHandlers is supported. It passes the credentials to the supported AuthenticationHandler and validates the credentials. If the user is an unauthenticated user/invalid user, he will be redirected to login page having login form (credentials requestor). If the user is a valid user, a Ticket-granting Ticket is generated and added to cookie.

CAS generates a service ticket and adds the service ticket to ticket registry. CAS checks if the service parameter is passed with the /login URL with "service" as parameter name and service URL as parameter value.


CAS calls the service identifier with ticket as parameter and service ticket as value. Its clients’ responsibility to call the /serviceValidate URI of CAS to validate the service and service ticket. /serviceValidate will generally be called by the filter class of client code. /serviceValidate will be called along with mandatory parameters service with service identifier as value, serviceticket with service ticket as value and an optional parameter pgtUrl with proxy-granting URL as value.

Ex: /serviceValidate?service=

CAS Login Flow

CAS checks if the service ticket is null. If not null, it checks if the optional parameter pgtUrl is available. If pgtUrl is available, Proxy-granting Ticket (PGT) is generated. Proxy-granting Ticket is no different from Ticket-granting Ticket except that it is used in proxy flow as a unique identifier. Then CAS checks if the service ticket obtained from request parameter is available in the service registry. If it is available, CAS checks if the service is a registered service. Registered services are those services that are registered through /services/manage.html URI. These services are saved in REGISTEREDSERVICESIMPL table. If the service is a registered service, the service ticket is checked if it is expired. If it is expired, it is deleted from the service registry and an error message is sent to client. If any of the above conditions are not met, a error message is sent to client and its up to client how to handle the error.

If the service ticket is not expired, CAS checks if the PGT is generated and pgtUrl parameter is available. If yes, PGTIOU is generated and redirected to call back URL which is nothing but value of service parameter with ticket as parameter name and PGT as value and PGTIOU as parameter name and PGTIOU generated as parameter value. CAS adds PGTIOU to response string as well and calls call back URL – pgtUrl. Client has to validate if the PGTIOU obtained from response string is equal to PGTIOU obtained from request parameter PGTIOU (Refer below picture). If pgtUrl parameter is not available, CAS calls call back URL – value of request parameter "service".

Ex: https://server/test.jsp?ticket=PGT-123423423-yTresprnts8Tau1cYQ7&PGTIOU=PGTIOU-35356436-hfadYrjagsjhghjgwdfTF9

/proxy flow:

CAS Proxy Flow

After PGTIOU is validated by client, client has to call /proxy url with pgt and targetService as parameters for the service to act as proxy to any targeted service. Pgt parameter contains pgt Id as value and targetService contains the target service identifier as value. CAS checks if pgt Id and target service available and if yes, generates proxy ticket.

/logout flow:

CAS Logout Flow

When user wants to logout from a service, he has to call /logout URI. CAS destroys the ticket-granting cookie and checks if the /logout URI contains parameter url. If parameter “url” is available, a successful logout message is displayed with a link to the request parameter url value else only successful logout message is displayed.


<<Previous page Next page>>

blog comments powered by Disqus