What's New in 3.5.2?

In January 2014 SFU moved to CAS 3.5.2 from CAS 3.3.2.  This also represented a significant shift in CAS deployment and aligns SFU's implementation of CAS with the open source community.  CAS 3.3.2 will continue to run in parallel for the forseable future.  But application administrators are encouraged to migrate to the new CAS by completing the CAS Services Application Form

The primary changes application administrators will see are as follows:

1. Applications must be registered

In previous versions of CAS at SFU, any application could use CAS without notifying central IT.  To help keep track of CAS use, administrators will now be required to fill out the CAS Services Application Form before usernames will be released to their application.  Administrators can use CAS without registering, but will only have opaque identifiers returned, not actual usernames.  This may be sufficient for applications that only need to know that a person has an SFU account, not who they are in particular or what role they have in the University.

2. Single Sign Out

CAS now offers a Single Sign Out option, which, when activated, will notify an application that a user has logged out of CAS.  The application can then terminate any remaining local sessions as well.  See the Jasig documentation for more details.

3. Application Logout View

CAS now offers the ability to log out of a specific application and not all of CAS.  By redirecting a user to /appLogout instead of /logout a user will remain logged into CAS and will maintain access to other CAS protected applications. The appLogout page will offer the user the chance to log out of CAS completely.

4. Login Throttling

Login attempts are now throttled to prevent brute force attacks via CAS.  This should have little to no impact on regular users, but will hinder the efforts to malicious attackers from using CAS as a method of guessing user passwords.

 

About CAS

CAS, or Central Authentication Service, is both an authentication mechanism and an enterprise single sign on server for web applications. Applications that utilize CAS all participate in the same single sign on session, meaning that once a user successfully authenticates with CAS, he or she won't be prompted again for the duration of the session. In addition, CAS allows a web application to see who authenticated, but protects the user's password from individual applications, allowing for a much more secure computing environment.

The Central Authentication Service was originally developed by Yale University. It has since become a Jasig project.

SFU has added a number of extensions to CAS (mostly authorization features such as integration with the SFU mail list system), but SFU has maintained compatibility with Jasig CAS, so applications that support Jasig CAS should work without modification.

CAS authentication is used in one of two ways:

  1. Add a small amount of custom application code to the application to handle the required authentication. 
  2. Use the mod_auth_cas runtime module for the Apache HTTP Server which allows application administrators to protect either static web content or dynamic web applications on the entire server (or a configurable subset of the server's content), or via .htaccess files.

Although CAS privides some simple authorization services, CAS is primarily an authentication tool for verifying the validity of SFU Computing Accounts. It does provide some features to help with access control but it is up to the application to determine who is authorized (allow / disallow) to access the system.

All applications that use SFU CAS must be registered as a service.  Fill out the CAS Service Application form to get started.