SSO和CAS

SSO(Single sign-on,单点登录),就是只登录一次(只提供一次凭证,如账号密码),就可以畅通无阻的访问平台的多个应用/服务。不应该把SSO和OAuth等授权协议混淆,OAuth协议要求在登录不同系统是都要进行认证和授权,而SSO只认证一次。OAuth本质是解决授权问题。

要实现SSO有很多方案。CAS(Central Authentication Service,集中式认证服务)就是其中一种。最初的CAS由Yale实现,现在CAS协议的实现有很多。CAS协议已经发展到了3.0版本。

一下对CAS协议的描述来自apereo CAS实现的文档。

CAS protocol

The CAS protocol is a simple and powerful ticket-based protocol developed exclusively for CAS. A complete protocol specification may be found here.

It involves one or many clients and one server. Clients are embedded in CASified applications (called “CAS services”) whereas the CAS server is a standalone component:

  • The CAS server is responsible for authenticating users and granting accesses to applications
  • The CAS clients protect the CAS applications and retrieve the identity of the granted users from the CAS server.

The key concepts are:

  • The TGT (Ticket Granting Ticket), stored in the CASTGC cookie, represents a SSO session for a user
  • The ST (Service Ticket), transmitted as a GET parameter in urls, stands for the access granted by the CAS server to the CASified application for a specific user.

交互流程

cas_flow_diagram

从上图可以看出,web的CAS利用到了session cookie和ticket令牌。不难分析得出CASTGC用于保持浏览器到CAS server的会话,第二次访问不需要再提供凭证。利用GET参数传递ST使得认证结果可以在不同域名之间传递。浏览器和受保护应用之间还有一个session cookie,保持了两者之间的会话,使得第二次直接访问应用也不需要提供凭证,应用也不需要再去CAS认证对令牌进行认证。

This entry was posted in Uncategorized