Information Technology Reference
In-Depth Information
stored for a few seconds or a couple of minutes until the SP asks to
verify its validity.
6.
The IdP sends both tokens to the RA. With CAS, this is another HTTP
redirect. The Ticket-Granting Ticket is placed in a session cookie that is
only shared between the RA and the IdP and never with any SP. The
redirect URL is the SP's URL which was appended to the original redirect
to the IdP in step 2. In addition, CAS appends the ST's handle to the URL
as a standard URL parameter.
7.
The RA follows the redirect instruction and accesses the SP again. This
time, the ST handle is part of the URL. The TGT is not sent to the SP
because that is a cookie shared only between the browser and the IdP.
The SP picks up the Service Ticket handle from the URL but has no way
to verify its authenticity.
8.
The SP sends the ST handle to the IdP to validate it. In CAS, this is a
direct HTTP call (not redirected through the browser since the RA is not
yet trusted at this point).
The IdP uses the ST handle to retrieve the ST from its Ticket Registry and
validate it. The ST does not need to be held in the Ticket Registry for
more than a few seconds, because the verification request from the SP
typically comes in almost immediately after the IdP sends the RA the
redirect request containing the ST handle. The ST has a reference to the
TGT, so the IdP also retrieves the TGT with its associated user attributes.
9.
The IdP sends back a response to the SP verifying the authenticity of the
ST
22
along with the user attributes it has retrieved. At this point, the RA
is authenticated. The SP uses thes e ser attributes to decide whether to
grant access to its functions or not.
The CAS website provides plenty of detailed technical material:
http://www.jasig.org/cas
22
The Service Ticket validation message sent back by CAS is accompanied by the user
attributes that were stored in the Ticket Registry as a “blob” attribute of the TGT.
This approach saves a separate database access during the performance-critical login
process. We used an XML structure in the response body to transport attributes but
any suitable data format can be used.
