Thursday, June 17, 2010

Integrating a portal with CAS and LDAP

I hope this blog sheds some light for those who are trying to understand how a portal might integrate with a single sign on solution, such as, in this case, CAS (http://www.jasig.org/cas) and LDAP (http://directory.apache.org). The following diagram outlines the architecture and the event flows.

The flow arrows are numbered and annotated below.
These are the URLs used for illustration purposes:

Portal: http://localhost/portal
CAS: https://localhost:8443/cas
External Application: http://externalApp1

I have included just one external application in the scenario below just to keep things simple. In reality, portal would be talking to multiple external applications (for each app, flows 8 - 13 are repeated).




  1. The user accesses the portal at for example, http://localhost/portal
  2. The Web Browser is redirected to the CAS server at: https://localhost:8443/cas/login
  3. CAS obtains the userID/password from the user via a login form and authenticates with LDAP.
  4. If authentication passes, CAS appends a login ticket to the URL like so: http://localhost/portal?ticket=xxx
  5. The browser is redirected to http://localhost/portal?ticket=xxx
  6. The portal validates the login ticket with CAS by doing a GET on https://localhost:8443/cas/serviceValidate?ticket=xxx&service=http://localhost/portal&pgtUrl=https://localhost/portal/proxyTicketReceptor
  7. On successful validation, CAS sends back the user ID and a ticket granting ticket called a PGTIOU.
  8. Using the PGTIOU, the portal requests a proxy ticket from CAS for the External App using the URL: https://localhost:8443/cas/proxy?pgt=[PGTIOU]&service=http://externalApp1
  9. CAS creates a proxy ticket and returns it to the portal.
  10. The portal appends the proxy ticket to the URL of the External App, for example: http://ExternalApp/ticket=[proxy ticket]
  11. The External App validates the proxy ticket with CAS using the URL: https://localhost:8443/cas/proxyValidate?ticket=[proxy ticket]&service=http://externalApp1
  12. If validation passes, CAS returns the user ID to the External App.
  13. The user is now logged into the External App which returns the page to the portal.
  14. The portal renders the final page and returns it to the browser.


Posted by at No comments:
Subscribe to: Posts (Atom)