John, The way it works is that you configure some backend for CAS to authenticate credentials against. There is a lot of flexibility, but in *typical* scenarios, credentials are username/password, and the backend would be LDAP/Active Directory or some kind of RDBMS.
The way authentication works with your apps is that you configure CAS to whitelist your services by means of a service registry (which is basically just a list or URL patterns it will accept). You then configure each of your applications to trust CAS authentication by installing a CAS client and pointing it to your CAS service. When a user tries to log into one of your apps, if they have no existing application session, they are redirected to the CAS service with an querystring parameter "service" that points back to a URL on your app. CAS checks that this URL is whitelisted, and if it is, it checks to see if you have an existing Single Sign On (SSO) session. If not, it forces you to authenticate, and if successful, it establishes a SSO session for you. Once you have an SSO session, CAS redirects you to the "service" URL, with a querystring parameter "ticket" that includes a long random string called a service ticket (ST). The STs only last for a short time (think ~30 seconds). Your app can take the ST and make a server-to-server connection to CAS and ask "is this ST valid?". If it is, CAS says "yes, here is the user ID of the user it belongs to". If you configure CAS to release attributes to a service, those are also provided in the response. That's the whole thing in a nutshell. You SSO session will eventually expire after some time you set (think hours or days). You can also explicitly log out of CAS to end the SSO session. Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College ----- Original Message ----- From: "John Rellis" <[email protected]> To: "CAS Community" <[email protected]> Sent: Friday, May 20, 2016 9:49:05 AM Subject: [cas-user] Help Connecting Initial Pieces (Shiro, Grails and CAS) Hey folks, Apologies for the broad scope of this post. I've been reading the docs <https://apereo.github.io/cas/4.2.x/index.html> and although I can see each individual piece I am having trouble deciphering how these pieces fit together for my use case. Right now, I have 4 grails applications that have 4 different databases containing user information. The applications currently use Shiro to authenticate users. The goal is to implement single sign on in these applications. I have cloned the cas-overlay-template project, created the war and launched it in tomcat and can login using the default user and I'm really at a "now what?" scenario. I have also included the shiro-cas dependency in the current projects and read this doc <http://shiro.apache.org/cas.html> . This is what I see as our potential process flow, can someone please correct me if I am going wrong with my understanding of how all this works and help with some of the questions too, that would be amazing! 1. User hits one of our four applications and is not logged in 1. Do each of these applications need to be configured as services on the CAS server? 2. User is redirected to CAS 1. this is done through the configuration of shiro as far as I can tell 3. User enters their login details into CAS 1. where are these details matched against? Can they be matched against the already existing applications or do I need to create a new database/service to authenticate against? 4. User is logged into one application 5. User hits application 2 where they are not logged in, they are redirected to CAS, a ticket exists for their login and they are allowed into application two My current understanding is that each application needs to be service and a ticket is generated at the first login that is stored as a cookie and this ticket is used to allow access to other applications, is this correct? Thank you in advance!!!!! John -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0892c0a-2e13-49ef-8d90-44aac2ecadc5%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2117612894.29425014.1463754059855.JavaMail.zimbra%40lafayette.edu. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
