Implementation
Details about the implementation of CAS at Texas A&M University are documented here.
Version
The CAS 3.0 protocol is supported by Texas A&M's CAS implementation.
Authentication Payload
CAS returns user information in either plain text or XML.
- Plain Text: Application should call the
.../validate
server validation URL. - XML: Application should call the
.../serviceValidate
server validation URL. (Recommended)
Although there are two different .../serviceValidate
server validation URLs for CAS 2.0 and CAS 3.0, they will return the exact same payload. While CAS had possessed the <cas:attributes>
element to return additional elements in the payload in CAS 2.0, it was not formally documented in the CAS protocol until the CAS 3.0 protocol was published.
Payload Content
CAS allows the payload to be customized. Texas A&M's CAS deployment takes advantage of this feature to return both the user's UIN and NetID. No other customizations have been made to the payload to ensure that 3rd party CAS-enabled applications will not require modifications to work with Texas A&M's CAS implementation. An optional attribute that can be added to the CAS payload is authenticationMethod
.
This attribute will return one of two values:
Password
: user completed one-factor authentication2Factor
: user completed two-factor authentication
Payload Examples
- Successful Validation
- Failed Validation
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>netid</cas:user>
<cas:attributes>
<cas:tamuEduPersonUIN>#########</cas:tamuEduPersonUIN>
<cas:tamuEduPersonNetID>netid</cas:tamuEduPersonNetID>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code="...">
Optional authentication failure message
</cas:authenticationFailure>
</cas:serviceResponse>
Session Life
Once a Subject has authenticated, the session is valid for 6 hours. A Subject can also end a session by closing all instances of the browser or requesting a logout.