Tuesday, August 14, 2007

JBoss Portal takes an unbiased stance on Single Sign On (Part 2)

Continuing with our series on Single Sign On Integration with JBoss Portal, this post will focus on integration of the CAS Single Sign On Framework with JBoss Portal

CAS Introduction

CAS is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. CAS became a JA-SIG project in December 2004. Details about the projects can be found at http://www.ja-sig.org/products/cas/

CAS Architecture

CAS system at its core consists of a Central Authentication Server. This Server is responsible for performing authentication for users trying to use a collection of web applications. These web applications belong to what we call a circle of trust. When the user is authenticated against the Central Authentication Server for any one of these web applications, the user is automatically authenticated on all the other web applications in this circle of trust, resulting in what we call Single Sign On.

A Typical CAS Interaction
  1. A user visits one of the web applications and tries to authenticate
  2. The CAS Agent on this web application performs a browser redirect to the CAS Server
  3. The user provides Login credentials to the CAS Server
  4. After the user is successfully authenticated, the CAS Server issues an opaque ticket for the user, stored as a cookie on his browser
  5. The CAS Server then redirects back to the web application
  6. The CAS Agent on this web application then is responsible to creating an authenticated session for this user
CAS Integration Components and JBoss Portal

The out-of-the-box integration of CAS with JBoss Portal consists of the following components:

  • A CAS server which is a war file
  • A JBoss Portal CAS Authentication Handler. This is an Authentication Handler that plugs into the CAS Server. The CAS Server uses this Authentication Handler to process its authentication requests. This Authentication Handler uses the JBoss Portal Identity API to perform the authentication. The use of this API decouples the Authentication Handler from the actual Identity Store such as Relational Database, LDAP Repository, etc
  • A JBoss Portal CAS Authentication Valve. This is a CAS Agent that is responsible for handling all CAS interactions between the web application, and CAS Server. It is also responsible for created automatic authenticated JBoss Portal sessions in case of successful Single Sign On
Technical Details on how to get this integration of JBoss Portal with CAS up and running can be found at http://wiki.jboss.org/wiki/Wiki.jsp?page=CASSSOFrameworkIntegration
Part 3 of this series will cover the next Single Sign On Framework, JOSSO

Stay Tuned !!!!

No comments: