Transparent Single Sign-On with CAS & eDirectory

A few months ago I had a patch accepted by the JA-SIG CAS project to enable this single sign-on (SSO) service to automatically authenticate users who are part of an internal Novell network. The benefit of this is that once a user has logged into their corporate network they do not have to authenticate themselves when they use any of the company's web applications. CAS is a good choice for an SSO solution because it is free, fairly simple to setup and has libraries for integrating with Java and just about every other web language. Also, due to its relative simplicity, many popular web applications support CAS 'out of the box', so it pays to do some checking before reinventing the SSO wheel.

How exactly this transparent authentication mechanism works is a little complicated, but in practice it occurs in a fraction of a second without any intervention. Below is a diagram outlining the actions that take place and a brief description of what happens at each step.

  1. The staff member logs in to the Novell network to gain access to their desktop.
  2. Once logged in the user visits an internally hosted web application. (e.g. CRM, DMS, etc.)
  3. Because the user is not logged in, the web application returns a CAS redirect command to the browser.
  4. The user's browser is automatically redirected to the CAS web service for authentication.
  5. The CAS service detects the incoming I.P. address and performs an LDAP search for this value in the eDirectory.
  6. The LDAP search finds the user's I.P. address and returns their credentials.
  7. CAS creates an authenticated session for the user and returns a one-time use ticket to the browser.
  8. The browser automatically redirects back to the web application and presents the authentication ticket for validation.
  9. The web application checks this ticket against the CAS service. If valid the user's credentials are returned.
  10. The web application creates an authenticated session and returns the relevant HTML content to the browser.

Setting all this up is not too difficult, so long as you carefully follow my instructions on the CAS wiki. The key is understanding what is going on and how the CAS configuration files work to achieve this task. The added bonus is that because this technique uses information stored in eDirectory it works with (pretty much) any Internet browser without any extra client-side software.