The REST protocol allows one to model applications as users, programmatically acquiring service tickets to authenticate to other applications. This means that other applications would be able to use a CAS client to accept Service Tickets rather than to rely upon another technology such as client SSL certificates for application-to-application authentication of requests. This is achieved by exposing a way to RESTfully obtain a Ticket Granting Ticket and then use that to obtain a Service Ticket.
POST https://cas.apiit.edu.my/cas/v1/tickets HTTP/1.0 'Content-type': 'Application/x-www-form-urlencoded' username=battags&password=password&additionalParam1=paramvalue |
201 Created Location: http://www.whatever.com/cas/v1/tickets/{TGT id} |
If incorrect credentials are sent, CAS will respond with a 400 Bad Request error (will also respond for missing parameters, etc.). If you send a media type it does not understand, it will send the 415 Unsupported Media Type.
The below snippets show one might request a service ticket using the semantics of the CAS protocol:
POST /cas/v1/tickets/{TGT id} HTTP/1.0 service={form encoded parameter for the service url} |
200 OK ST-1-FFDFHDSJKHSDFJKSDHFJKRUEYREWUIFSD2132 |
Service ticket validation is handled through the CAS Protocol via any of the validation endpoints such as/p3/serviceValidate
.
GET /cas/p3/serviceValidate?service={service url}&ticket={service ticket} |
Sample XML output on successful ticket validation:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>TP012345</cas:user> <cas:attributes> <cas:isFromNewLogin>true</cas:isFromNewLogin> <cas:authenticationDate>2019-03-05T00:04:34.916Z[Zulu]</cas:authenticationDate> <cas:sAMAccountName>TP012345</cas:sAMAccountName> <cas:displayName>John Doe</cas:displayName> <cas:givenName>John Doe</cas:givenName> <cas:successfulAuthenticationHandlers>LdapAuthenticationHandler</cas:successfulAuthenticationHandlers> <cas:distinguishedName>CN=TP012345,OU=38000,OU=Students,DC=techlab,DC=apiit,DC=edu,DC=my</cas:distinguishedName> <cas:cn>TP012345</cas:cn> <cas:samlAuthenticationStatementAuthMethod>urn:oasis:names:tc:SAML:1.0:am:unspecified</cas:samlAuthenticationStatementAuthMethod> <cas:credentialType>RememberMeUsernamePasswordCredential</cas:credentialType> <cas:authenticationMethod>LdapAuthenticationHandler</cas:authenticationMethod> <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed> <cas:memberOf>CN=38000,OU=38000,OU=Students,DC=techlab,DC=apiit,DC=edu,DC=my</cas:memberOf> <cas:userPrincipalName>TP012345@mail.apu.edu.my</cas:userPrincipalName> </cas:attributes> </cas:authenticationSuccess> </cas:serviceResponse> |
CAS will send a 400 Bad Request. If an incorrect media type is sent, it will send the 415 Unsupported Media Type.
Destroy the SSO session by removing the issued ticket:
DELETE /cas/v1/tickets/TGT-fdsjfsdfjkalfewrihfdhfaie HTTP/1.0 |
Verify the status of an obtained ticket to make sure it still is valid and has not yet expired.
GET /cas/v1/tickets/TGT-fdsjfsdfjkalfewrihfdhfaie HTTP/1.0 |
200 OK |
404 NOT FOUND |