WebISO: Web Application Agent (WAA) Questionnaire

Central Authentication Service (CAS)
Yale University
http://www.yale.edu/tp/auth/
September 24, 2002

> 1. Web Application Agent - Model & Capabilities
> 
>    1.1 Which high-level integration model(s) does your WAA support?
>    [x] Server module
>        [x] Apache 1.3
>        [x] Apache 2.0
>        [x] Java Servlet
>        [ ] Microsoft ISAPI
>        [ ] Other
>    [x] Developer's API
>        [x] C/C++
>        [x] Java/JSP
>        [x] Perl
>        [x] Python
>        [x] Other
> 
>    1.2 If applicable, describe the method(s) your
> 	 WebISO solution provides for the WAA
>        to handle N-tier (proxied, delegated)
> 	 authentication:

During authentication, applications may acquire a reusable "proxy-granting
ticket," keyed to the user.  Applications contact CAS with this ticket and
acquire a "proxy ticket," which then is sent to a back-end application.  
The application validates this ticket with CAS, which informs the back-end
application of the middle-tier application that engaged the proxy
operation, giving the back-end application the opportunity to decide
whether it trusts the proxy operation or not.

> 2. Web Application Agent - Authentication Interface
> 
>    2.1 Describe the method(s) your WAA provides to
>        Web applications to initiate authentication:

Web applications must redirect users to CAS.

>    2.2 Describe any options your WAA provides to Web
>        applications to influence the authentication
>        process:

The application may direct CAS to

 - require reauthentication (i.e., avoid single sign-on)
 - avoid prompting the user (simply redirecting back if the user hasn't
   already logged in)
 - the application may supply a default username (e.g., if it already
   has an idea who the user is)

> 3. Web Application Agent - Authentication Delivery
> 
>    3.1 Describe the method(s) your WAA provides to
>        Web applications to receive authentication
>        information:

CAS redirects users to the application, passing an opaque 'ticket' as a
query-string parameter in the URL.  The application makes an HTTPS request
to CAS to validate this ticket and retrieve the username associated with
it.

>    3.2 Describe the authentication information
>        delivered by your WAA to Web applications
>        (e.g. REMOTE_USER):

(Perhaps I'm misunderstanding the term WAA.)  Our Apache module exposes
the standard CGI environment variable; the APIs provide the username as
the result of specific method or function calls.

> 4. Messaging
> 
>    4.1 Describe the message format used between your
>        WAA and weblogin service to request and
>        receive authentication information:

CAS provides two alternatives:  a trivial text-based protocol and an
XML-based response (definable through a schema).

>    4.2 Describe the protocol used by hte WAA to send
>        the user from the Web application to the
>        weblogin service and back again (e.g. SAML
>        POST Profile):

Unless I'm misunderstanding the question, CAS uses a simple HTTP redirect
("Location" header).

Shawn Bayern
ITS Technology and Planning
Yale University