/
API User Authentication using CAS

API User Authentication using CAS

Owned by Former user (Deleted)
Last updated: May 05, 2020
2 min read

CAS Sequence

 

REST Protocol

The REST protocol allows one to model applications as users, programmatically acquiring service tickets to authenticate to other applications. This means that other applications would be able to use a CAS client to accept Service Tickets rather than to rely upon another technology such as client SSL certificates for application-to-application authentication of requests. This is achieved by exposing a way to RESTfully obtain a Ticket Granting Ticket and then use that to obtain a Service Ticket.

Request a Ticket Granting Ticket (Step 1)

POST https://cas.apiit.edu.my/cas/v1/tickets HTTP/1.0 'Content-type': 'Application/x-www-form-urlencoded' username=battags&password=password&additionalParam1=paramvalue

Successful Response

201 Created Location: http://www.whatever.com/cas/v1/tickets/{TGT id}

Unsuccessful Response

If incorrect credentials are sent, CAS will respond with a 400 Bad Request error (will also respond for missing parameters, etc.). If you send a media type it does not understand, it will send the 415 Unsupported Media Type.

Request For a Service Ticket (Step 02)

The below snippets show one might request a service ticket using the semantics of the CAS protocol:

POST /cas/v1/tickets/{TGT id} HTTP/1.0 service={form encoded parameter for the service url}

Successful Response

200 OK ST-1-FFDFHDSJKHSDFJKSDHFJKRUEYREWUIFSD2132

 

Validate Service Ticket (Step 03)

Service ticket validation is handled through the CAS Protocol via any of the validation endpoints such as/p3/serviceValidate.

GET /cas/p3/serviceValidate?service={service url}&ticket={service ticket}

Sample XML output on successful ticket validation:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>TP012345</cas:user> <cas:attributes> <cas:isFromNewLogin>true</cas:isFromNewLogin> <cas:authenticationDate>2019-03-05T00:04:34.916Z[Zulu]</cas:authenticationDate> <cas:sAMAccountName>TP012345</cas:sAMAccountName> <cas:displayName>John Doe</cas:displayName> <cas:givenName>John Doe</cas:givenName> <cas:successfulAuthenticationHandlers>LdapAuthenticationHandler</cas:successfulAuthenticationHandlers> <cas:distinguishedName>CN=TP012345,OU=38000,OU=Students,DC=techlab,DC=apiit,DC=edu,DC=my</cas:distinguishedName> <cas:cn>TP012345</cas:cn> <cas:samlAuthenticationStatementAuthMethod>urn:oasis:names:tc:SAML:1.0:am:unspecified</cas:samlAuthenticationStatementAuthMethod> <cas:credentialType>RememberMeUsernamePasswordCredential</cas:credentialType> <cas:authenticationMethod>LdapAuthenticationHandler</cas:authenticationMethod> <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed> <cas:memberOf>CN=38000,OU=38000,OU=Students,DC=techlab,DC=apiit,DC=edu,DC=my</cas:memberOf> <cas:userPrincipalName>TP012345@mail.apu.edu.my</cas:userPrincipalName> </cas:attributes> </cas:authenticationSuccess> </cas:serviceResponse>

Unsuccessful Response

CAS will send a 400 Bad Request. If an incorrect media type is sent, it will send the 415 Unsupported Media Type.

Logout

Destroy the SSO session by removing the issued ticket:

DELETE /cas/v1/tickets/TGT-fdsjfsdfjkalfewrihfdhfaie HTTP/1.0

Ticket Status

Verify the status of an obtained ticket to make sure it still is valid and has not yet expired.

GET /cas/v1/tickets/TGT-fdsjfsdfjkalfewrihfdhfaie HTTP/1.0

Successful Response

200 OK

Unsuccessful Response

404 NOT FOUND

 

Related content

Copyright © Asia Pacific University. All Rights Reserved.