CAS: Simple Authentication


Ken McCrery, from Virginia Tech gave a presentation at JA-SIG on their experience using Central Authentication Service (CAS) to provide single sign-on and single sign-off for their campus systems. CAS is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. It's freely available for download.

VT orginally used a home grown system called AuthPortal but their middleware group couldn't keep up with the portal groups requirements. They determined to move to something that was more widely used.

They found that

  • CAS 2.0 was easy to deploy
  • Previous AuthPortal clients were simple to convert
  • Small footprint--fast and efficient
  • System has been very stable and reliable over the last two years.

According to the JA-SIG CAS Web site, CAS has

  • An open and well-documented protocol
  • An open-source Java server component
  • A library of clients for Java, .Net, PHP, Perl, Apache, uPortal, and others
  • Integrates with uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle and others
  • Community documentation and implementation support
  • An extensive community of adopters

CAS is similar to OpenID in goals and overall effect. The academic IT community has largely gone it's own way in solving lot of problems like authentication. That's not necessarily because they're out of touch. In fact, quite the opposite. They have a better traditional of cooperation because they're aren't really competing with each other and so they get together and scratch the itches before the commercial side is induce to cooperate by market forces. SSO was one such itch.

The problem is that now, they have a choice (or several) in OpenID, CardSpace, and others. There are several possible routes:

  1. Ignore outside project and continue to roll their own. Clearly they will miss out on the ability to integrate with products and services based on the more widely used protocols.
  2. Change over to a more widely used solution once the winners are more apparent. This is painful, but is often done.
  3. Integrate the ability to use these other systems with CAS so that CAS deployments begin to take advantage of the more widely deployed code base of the other systems.

I' guess that the last option is the one academic institutions will follow.