Central Authentication Server (CAS)

Introduction

Central Authentication Server (CAS) supports CAS protocol which is a very simple authenticatoin protocol and requires only a very lightweight client library in the application side. In comparing with SAML, it has less security features but is adequate as a secure SSO platform for most web applications. ITSO recommends CAS for SSO integration with your application. The process of integrating CAS into your application is in brief:
 
  1. Register your application
  2. Configure a suitable CAS client
  3. Test and troubleshoot

Service Registration and Eligibility

Any application, either on-premises or cloud-based, for HKUST community are eligible to use CAS, please click below to fill in the form for registering an application (sample screen of application form, it is up to your application whether any attributes are required):

CAS Registration (limited to CSC only)

CAS Client Configuration

These are popular CAS client software libraries that are known to work with the CAS server and ITSO have supported them before:
 
There are CAS clients for other platforms (Python, Perl, Ruby, etc.) that are also likely to work with the CAS. In most cases it should suffice to plug in the login and ticket validation URLs into the configuration framework provided by the CAS client library. The below are all the endpoint URLs of CAS protocol.
 
  1. CAS login URL - https://cas.ust.hk/cas/login
  2. CAS v2 ticket validation URL - https://cas.ust.hk/cas/serviceValidate
  3. CAS v3 ticket validation URL - https://cas.ust.hk/cas/p3/serviceValidate
  4. SAML 1.1 ticket validation URL - https://cas.ust.hk/cas/samlValidate
  5. CAS logout URL - https://cas.ust.hk/cas/logout
  6. CAS proxy ticket request URL - https://cas.ust.hk/cas/proxy
  7. CAS proxy ticket validation URL - https://cas.ust.hk/cas/proxyValidate
  8. CAS v3 proxy ticket validation URL - https://cas.ust.hk/cas/p3/proxyValidate
CAS clients need to connect to CAS server via SSL for ticket validation. In most cases, if CAS clients can use operating system managed CA certificates store, no configuration is required. Otherwise, you have to configure the CA certificate trust store in the CAS client.  The CA certificate of CAS server certificate can be downloaded here.
 
There are examples in configuring these CAS client libraries. If using for development and testing tier, replace the host names with castest.ust.hk accordingly.

Attribute Release

Upon successful authentication of an user, you can choose to retrieve attributes of the user.  CAS server can release these attributes for CAS applications.

CAS Proxy Requirements

A request for a CAS proxy-granting ticket represents a request to perform delegated authentication, which is a substantial increase in privileges beyond the standard service ticket. Where a service ticket represents access to one service, a proxy-granting ticket represents the ability to grant access to many services. Proxying service must be requested separately and meet certain security control requirements.