[EMAIL]Web server single sign-on

To access protected web servers at FIT the central authentication (or single sign-on) is used at Central Authentication Server (CAS) FIT. Username is FIT login and password is user's Unix password (i.e. the password used to access email and inforamtion system).

Sign-on

Access to protected web pages is possible in two ways:
  • Directly from the protected wewb (e.g. web email). User is redirected to CAS authentication page if not authenticated yet. After successful authentication the browser is redirected back to original web page.
  • From CAS authentication page. In this case when authenticated user is offered a list of all available protected webs and may continue to any one of them.
Regardless of the way once a user is authenticated, this is valid for all protected web pages. Let's say if user goes to web email first then the authentication is valid for video servers with no need of authenticating again.

Logout

Central authentication permits access to several protected sources. To prevent unauthorized access special care is needed to log out properely at the end of work. All authenticated web server offer logout from CAS which in turn is valid for all protected pages. The same result may be achieved by closing all windows of a browser but special care is needed to check if really all widnows were closed. You may check whether logout was successfull by accessing CAS authentication page. If logout was successful the logon page is shown, logoff page is shown otherwise.

Security concerns

Using CAS is far more secure compared to standard web page authentication. The password is sent once, to CAS authenticaion page only. The CAS server is protected, no users are provided access to it, communication is encrypted. The password is used just to verify authentication and it is discarded after that. The protected web pages receive just login of authenticated user. This way the protected webs cannot revel user's password even if there is security flaw in the web server code or there is any forged page on a server where common users are granted any access.

Under the hood

Once user's identity is verified CAS generates a random session cookie which is sent to borwser in redirection request to original (protected) web page. The browser sends this cookie to protected web which in turn verifies it's validity. The cookie contains no sensitive information and it's validity is limited both to the end of browser run and to 24 hours. If the cookie expires while CAS authentication remains valid a new cookie is generated transparently. When the browser is closed session cookie is discarded and CAS authentication is terminated. Each web server verifies validity of the cookies each minute. When users logs out at central authentication page all the authentications become void within one minute. More details may be found at http://cosign.sourceforge.net/.

Back to Important information and guides

Your IPv4 address: 54.162.239.233
Switch to IPv6 connection

DNSSEC [dnssec]