Contents

• Overview
• Before You Register Your Application URL
• Register Your Application URL
• Web Login process
  • Conventions & Definitions
  • CAS URIs
  • Login Securely
  • Ticket Validation (CAS protocol 1.0, AuthN, simple text response)
  • Ticket Validation (CAS protocol 2.0, AuthN, XML response)
  • Ticket Validation (CAS protocol 3.0, AuthN with attributes, SAML response)
  • Logging Out
• Access Control
• Sample Clients
  • Java CAS client
  • UH CAS Demo in Java
  • phpCAS
  • cURL (no attributes requested)
  • CAS Authentication with Spring Security
• Frequently Asked Questions
• Troubleshooting
• Technical Support

...

1. Will authentication include the release of attributes to your application?
   1. If yes, UH Data Governance guidelines apply.  For each unique application you must submit a separate request.  What that means is that you cannot register a single URL and host multiple applications under it.  
2. Is your application hosted on a non-UH server?
   1. If yes, your request may be subject to the UH Data Sharing Request process. Please send an inquiry to datagov@hawaii.edu or call 956-7487.

Anchor
register register

Register Your Application URL

...

Anchor
logout logout

Logging Out (SLO): logout

Web applications that login a user must handle their own session state and should offer the user the ability to log out of their session. Without the logout service provided by CAS, a user returning to the web application's Service URL, will be automatically logged back in because of the ticket-granting cookie also provided by CAS stored by the client. This is a single sign-on feature across web applications that use UH Login. There are two basic ways to "log out"; logout from application and UH Login single sign-on or logout from application and force re-authentication to UH Login.

cas/logout destroys a client's single sign-on CAS session. The ticket-granting cookie is destroyed, and subsequent requests to /logout will not obtain service tickets until the user again presents primary credentials (and thereby establishes a new single sign-on session).

Parameters

• service (OPTIONAL)
  • the identifier of the service to redirect to after logging out
  • the service parameter must be also be a registered service URL

• url (DISABLED)

  Note

  Although JasigAperero's CAS protocol documentation describes the use the the url parameter, the Jasig Aperero developers have disabled it in recent versions of CAS to prevent potential abuse. Their explanation of the situation may be found in this thread from the cas-users mailing list. The url parameter defined in the former CAS 2.0 specification is not a valid parameter in CAS 3.0 anymore. CAS Servers MUST ignore given url parameters.

  
  

Examples

• To logout a user and prevent her from automatically logging back into a Web application, the Web application can forward the user to the Logout URL of UH Login. That URL will destroy the ticket-granting cookie that enables the single sign-on feature and gives the user a page that informs them that they have logged out of UH Login.

  No Format
  https://$WEBLOGIN-HOST/cas/logout

  
  

• To logout a user and prevent her from automatically logging back into a Web application, the Web application can forward the user to the Logout URL of UH Login. That URL will destroy the ticket-granting cookie that enables the single sign-on feature and redirect the user to the URL identified by the service parameter.

  No Format
  https://$WEBLOGIN-HOST/cas/logout?service=https://myserver/myapp

  
  

  Info
  The URL provided by the service parameter must be registered to use UH Login.

  
  

...

Application Not Authorized to Use UH Login

Problem:

Your application cannot successfully authentication against CAS.

Example error message:

Solutions:

...