CAS - Central Authentication Serverget help

CAS to be upgraded to 5.3.5 on November 28, 2018

This page refers to the new CAS 5.3.5 which will be installed on November 28, 2018. Documenation on the old version can be found here.

The documentation for this new version is still being updated, but may be useful if you are testing the new version of CAS.


The Central Authentication Service (CAS) is a single sign-on solution for the web. It allows users to access multiple web applications while providing their credentials (userid and password) only once. It also serves to allow web applications to authenticate users without getting access to a user's password.


CAS was developed at Yale University between 2000-2002. SFU adopted CAS for web single sign-on around 2003. In 2004 CAS was placed in the public domain under the oversight of Jasig (later Apereo).

Before SFU adopted CAS, we were already using our mail list groups for web access control, and so added features to our implementation of CAS to allow limited authorization features including mail list group access control. Over time, we added new features including:

  • authorization features based on group membership and roles
  • limited attribute release
  • ability to kill CAS sessions belonging to compromised accounts
  • Surrogate authentication

As new versions of CAS were released by Apereo, along with new features, some of SFU's local changes were implemented in the distributed CAS, usually in a more comprehensive way. Some of the major upgrades we installed were:

  • CAS 3.5.2 - January 2014
    - Attribute release now built-in
  • CAS 5.3.5 - November 2018
    - Authorization now built-in
    - Surrogate authentication now built-in

In addition to making local modifications to CAS itself, SFU also modified a version of mod_auth_cas (an authentication module used by the Apache web server) to support the authorization and attribute release features added by SFU to CAS.

Using CAS

CAS authentication is used in one of two ways:

  1. Add a small amount of custom application code to the application to handle the required authentication directly with the CAS service. More details on using CAS in this way, and information on using CAS at SFU can be found here.
  2. Use the mod_auth_cas module for the Apache HTTP Server which allows application administrators to protect either static web content or dynamic web applications on the entire server (or a configurable subset of the server's content), or via .htaccess files. More details on using mod_auth_cas, and specifics on using mod_auth_cas at SFU, can be found here.

Registering Your Application

To help keep track of CAS use, administrators are required to fill out the CAS Services Application Form before usernames will be released to their application.  Administrators can use CAS without registering, but will only have opaque identifiers returned, not actual usernames.  This may be sufficient for applications that only need to know that a person has an SFU account, not who they are in particular or what role they have in the University.