CAS is service which provides Central Authentication. We can authenticate users who are belongs to many application from CAS. We deploy CAS in application server we can use this CAS server for all our applications to do authentication.CAS is best solution for Single Sign On and Single Sign Out.
If we have multiple web applications then we need not provides authentication in each application instead of that we use CAS to authenticate users and user may belongs to any application.
To do so we need to create multiple data sources for CAS so that CAS can authenticate against configured data sources.
We can configure different kind of data sources to CAS like JDBC data source which connect to relational data bases and LDAP data sources which can connect to LDAP servers. Apart from LDAP and JDBC CAS can support many.
We already know CAS is service and we will have client to consume or use service. So that CAS is providing different types of clients to support cross platform application.CAS providing many clients to support in many applications.
How CAS is working?
CAS is ticket based service. Which is working based on tickets and its validation.
Initially when user send his/her credentials to CAS for authentication it will provide TGT (Ticket Granting Ticket) when user find in data source or we can say after successful authentication by CAS.
Once we get TGT we will pass TGD and Service URL to CAS then it will give Service Ticket and redirecting to URL which we provided as service URL and service ticket stored in Cookies.
When we redirecting to Service URL/Client Application then client will obtain the service and it will send service ticket and client application URL to CAS to validate on behalf of application URL.
If the validation successful then it will return user principles (username/password) then client application create session for user in applications.
In the application we will use CAS client library for obtain service tickets and validate the tickets on behalf of client application URL/service URL.
Service URL is nothing but current client application URL for which we are using CAS service.
Generally we use CAS login URL with username user password and service URL to get service ticket
How does liferay support CAS?
Liferay already have CAS client inbuilt so that we need pass CAS service information so that we can enable CAS service in liferay. These are just administration configuration in liferay once we ready with CAS server.
What is SSO?
SSO is Single Sign On service means if we have multiple applications we need not to provide user credentials in each application instead of that we will authenticate the user with CAS and we will use CAS tickets to login into other application here user don’t need enter credentials for each application login.
To implement CAS SSO we need to use https protocol. SSO need secure protocol. Https use Secure Socket layer mechanism to send data from server to client.
How SSL is working?
To enable SSL to server we need to create SSL certificates and add those cerficates in Server JRE environment. Generally all certificates available in jre\lib\security directory.SSL certificate having public and private keys along with one of encryption algorithm like RSA, SHA
In real environment we need to purchase these SSL certificates from vendors they will give us SSL certificates.
For our Development environment we will create self signed SSL certificates using java key tool or other tools like open SSL tools.
How does https work?
When we are using HTTPS protocol then data transfer from server to client encrypted by SSL certificates with help of public key, private key and encryption algorithm.
When the scenario like CAS server and Client Application reside in two different machines or two different servers which are using different JRE then we need to share same certificate with tow servers JRE. Otherwise we will get encryption decryption problems i.e. SSL hand shaking problem (PKIX exception).
When data comes from one server to other server then we need use same public key, private key and same algorithm required to decrypt or encrypt the data that is why we need to share same SSL certificate with tow server environments.
Now we will have enough information about CAS. Now we are using in liferay. We already know CAS is service and liferay is client to use CAS service. Liferay already have CAS client support.
The following are the required steps to integrate CAS in Liferay.
- Create CAS server with JDBC support
- Create SSL certificate using java key tool
- Add SSL certificate to Server JRE
- Configure CAS server information In Liferay