This is the fifth day of my participation in Gwen Challenge
preface
As the number of service systems increases, user status cannot be shared among service systems. Therefore, each system requires user login. This is very unfriendly to users, so it is necessary to set up an SSO SSO server to do unified login and logout.
This series of articles serves two purposes:
- Keep track of your learning
- There aren’t many articles on the web about using Apereo CAS for single sign-on, so I wanted to share them with you
Note: Apereo CAS documentation and warehouse reference is 6.3.4
Past the link
- What is SSO?
- What is CAS?
I. CAS certification process
You have learned from the previous two articles what SSO is and what CAS is. This article describes the authentication process of CAS in detail.
The best way to understand the CAS certification process is to read the official documentation
For the first time login
The sequence diagram for the first login is shown below (it may be a bit long, but I’ll go over it and explain it later).
Sequence diagram interpretation for the first login
1 After a request is sent to app.example.com, the App server finds that the user does not log in and redirects the request to the CAS service address cas.example.com? Service = XXX. 2 The CAS server returns to the login page after discovering that the current user has not logged in. 3 After the CAS enters the correct account and password, the CAS writes the TGT to the Cookie. Redirect to previous service address app.example.com? Ticket = XXX (note: The URL contains ticket issued by the CAS server. (4) After receiving a request containing ticket, the application server uses ticket to exchange user information with the CAS server and writes the user information to the current session. 5. If the application sequence server finds that the current user has logged in, the application sequence server returns the corresponding information
Ticket Granting Ticket (TGT) : Ticket used by the CAS server to indicate whether a current user has logged in. Ticket: Used by other applications to obtain user information from the CAS
Second Login
The second login is the second login to another application
The sequence diagram for the second login is as follows:
Second login sequence diagram explanation
1. After a request is sent to app2.example.com, App2 redirects the request to the CAS service address cas.example.com? Service = XXX. Cas.example.com? Service = XXX; / / cas.example.com? Service = XXX; / / cas.example.com? The CAS service obtains the login information from the TGT and redirects the CAS service to app2.example.com? Ticket = XXX (Note: The url contains ticket issued by the CAS server.) 3 After receiving a request containing ticket, the CAS server uses ticket to exchange user information with the CAS server and writes the user information to the current session. 4 Application sequence 2 Indicates that the server finds that the current user has logged in, and returns the corresponding information
Second, the summary
For such a complex project, read more documents and understand more.
Thank you to see the end, very honored to help you ~♥