To access protected web servers at FIT the central authentication (or single sign-on) is used at Central Authentication Server (CAS) FIT. Username is FIT login and password is user's Unix password (i.e. the password used to access email and information system).
Sign-on
Access to protected web pages is possible in two ways:
- Directly from the protected web (e.g. web email). User is redirected to CAS authentication page if not authenticated yet. After successful authentication the browser is redirected back to original web page.
- From CAS authentication page. In this case when authenticated user is offered a list of all available protected webs and may continue to any one of them.
Regardless of the way once a user is authenticated, this is valid for all protected web pages. Let's say if user goes to web email first then the authentication is valid for video servers with no need of authenticating again.
Logout
Central authentication permits access to several protected sources. To prevent unauthorized access special care is needed to log out properly at the end of work. All authenticated web server offer logout from CAS which in turn is valid for all protected pages. The same result may be achieved by closing all windows of a browser but special care is needed to check if really all windows were closed. You may check whether logout was successful by accessing CAS authentication page. If logout was successful the logon page is shown, logoff page is shown otherwise.
Security concerns
Using CAS is far more secure compared to standard web page authentication. The password is sent once, to CAS authentication page only. The CAS server is protected, no users are provided access to it, communication is encrypted. The password is used just to verify authentication and it is discarded after that. The protected web pages receive just login of authenticated user. This way the protected webs cannot reveal user's password even if there is security flaw in the web server code or there is any forged page on a server where common users are granted any access.
Under the hood
Once user's identity is verified CAS generates a random session cookie which is sent to browser in redirection request to original (protected) web page. The browser sends this cookie to protected web which in turn verifies it's validity. The cookie contains no sensitive information and it's validity is limited both to the end of browser run and to 24 hours. If the cookie expires while CAS authentication remains valid a new cookie is generated transparently. When the browser is closed session cookie is discarded and CAS authentication is terminated. Each web server verifies validity of the cookies each minute. When users logs out at central authentication page all the authentications become void within one minute. More details may be found at http://weblogin.org/.
Any comments to this page may be sent to lampa@fit.vutbr.cz