Basic
mode The basic mode SSO access process mainly includes the following steps:
The most basic protocol process of CAS:
1. Access service: The SSO client sends a request to access the service resources provided by the application system.
2. Directed authentication: The SSO client will redirect user requests to the SSO server.
3. User authentication: User authentication.
4. Issue a ticket: The SSO server will generate a random Service Ticket.
5. Verify the ticket: The SSO server verifies the validity of the Service Ticket, and after the verification is passed, the client is allowed to access the service.
6. Transmission of user information: After the SSO server passes the verification ticket, it transmits the user authentication result information to the client.
Auxiliary Description
The SSO implementation of CAS can be simplified as:
1 Cookie and N Sessions. CAS Server creates a cookie, which is used when all applications are authenticated, and each application identifies whether the user is logged in by creating its own Session.
After the user passes the authentication of an application, when the user accesses the application in the same browser in the future, the filter in the client application will read the user information in the session, so it will not go to the CAS Server for authentication. If the filter in the client application cannot read the user information in the session when accessing other web applications in this browser, it will go to the login interface of the CAS Server for authentication, but then the CAS Server will read the browsing information. The cookie (TGC) sent from the server, so the CAS Server will not require the user to log in to the login page, but will generate a Ticket according to the service parameter, and then interact with the web application to verify the ticket.
Terminology Explanation
There are 5 types of notes designed in the CAS system: TGC, ST, PGT, PGTIOU, PT.
Ø Ticket-granting cookie (TGC): A cookie that stores user authentication credentials, used in communication between browsers and CAS Server, and can only be transmitted based on secure channel ( Https ), which is a credential used by CAS Server to clarify user identity;
Ø Service ticket (ST): service ticket, the unique identification code of the service, issued by the CAS Server ( HTTP transmission), and reaches the business server through the client browser; a specific service can only have a unique ST;
each individual Service has only ST.
Ø Proxy-Granting ticket (PGT): issued by the CAS Server to the service with the ST certificate, the PGT binds a specific service of a user, so that it has the ability to apply to the CAS Server and obtain the PT;
Ø Proxy-Granting Ticket I Owe You ( PGTIOU ): The function is to return the response information when passing the credential verification from the CAS Server to the CAS Client, and at the same time, the PGT corresponding to the PGTIOU will be passed to the Web application through the callback link. The web application is responsible for maintaining the content table of the mapping relationship between PGTIOU and PGT;
Ø Proxy Ticket (PT): It is the certificate for the application proxy user identity to access the target program;
other descriptions are as follows:
Ø Ticket Granting ticket (TGT): ticket authorization Tickets, issued by the KDC's AS. That is, after obtaining such a ticket, there is no need to submit identity authentication information (Credentials) to KDC when applying for various other service tickets (ST) in the future;
Ø Authentication service (AS) --------- Authentication service, Obtain Credentials, issue TGT;
Ø Ticket-granting service (TGS) --------- Ticket authorization service, obtain TGT, issue ST;
Ø KDC (Key Distribution Center) ---------- key distribution center;