IDaaS Open Platform

CAS

Authentication Protocol

# What is CAS

CAS is a protocol based on HTTP/2 and HTTP/3, which requires that each component can be accessed via a specific URI.

By using the CAS protocol to integrate IDaaS as an identity service provider, third-party applications can read the user account data from IDaaS.

We support three protocol versions: CAS 1.0, CAS 2.0, and CAS 3.0.

# Introduction to the CAS Protocol

In the CAS protocol, two entities are involved.

  • CAS Server: The CAS service, the identity authentication provider, such as Zhuyun IDaaS authentication service.
  • CAS Client: The CAS client, the resource provider, such as a third-party application.

These two entities exchange information through the user's browser. For example, the CAS Client can return a redirect with parameters, forwarding the information to the CAS Server. After successful login verification, the CAS Server returns an XML containing user information to the CAS Client. The CAS Client verifies the user information and then grants the user access to the resource.

# Understanding the CAS Flow

  1. The user attempts to log in to the application provided by the CAS Client.
  2. The CAS Client analyzes the HTTP request to see if it contains a Service Ticket (ST). If not, it indicates that the current user is not authenticated, so it redirects to the CAS Server and passes the Service (i.e., the target resource address to be accessed).
  3. The user enters authentication credentials. If the login is successful, the CAS Server randomly generates a sufficiently long, unique, and unforgeable Service Ticket (ST), then redirects back to the CAS Client with the generated ST attached.
  4. After obtaining the Service and the newly generated ST, the CAS Client interacts with the CAS Server in the background for verification.
  5. The CAS Server verifies the identity based on the request parameters Service and ST to ensure the legitimacy of the ST and returns an XML in a specified format (containing user information) to the CAS Client.
  6. The CAS Client and CAS Server complete the identity verification of the user, and the CAS Client grants the user access to the resource.

What is Pre-integrated Application