Technical Requirements and Information
Texas A&M CAS Version
The CAS 3.0 protocol is supported by Texas A&M's CAS service.
Texas A&M CAS Server
Production Server | cas.tamu.edu |
---|---|
Login URL | https://cas.tamu.edu/cas/login |
Validation URLs | https://cas.tamu.edu/cas/validate https://cas.tamu.edu/cas/serviceValidate https://cas.tamu.edu/cas/p3/serviceValidate |
Logout URL | https://cas.tamu.edu/cas/logout |
Development Server | cas-dev.tamu.edu |
---|---|
Login URL | https://cas-dev.tamu.edu/cas/login |
Validation URLs | https://cas-dev.tamu.edu/cas/validate https://cas-dev.tamu.edu/cas/serviceValidate https://cas-dev.tamu.edu/cas/p3/serviceValidate |
Logout URL | https://cas-dev.tamu.edu/cas/logout |
CAS Payload
CAS returns user information in either plain text or XML. To receive the payload in plain text, your application should call the .../validate
server validation URL. To receive the payload in XML, your application should call the .../serviceValidate
server validation URL. Although there are two different .../serviceValidate
server validation URLs for CAS 2.0 and CAS 3.0, they will return the exact same payload. While CAS had possessed the <cas:attributes>
element to return additional elements in the payload in CAS 2.0, it was not formally documented in the CAS protocol until the CAS 3.0 protocol was published.
Payload Content
CAS allows the payload to be customized. Texas A&M's CAS deployment takes advantage of this feature to return both the user's UIN and NetID. No other customizations have been made to the payload to ensure that 3rd party CAS-enabled applications will not require modifications to work with Texas A&M's CAS implementation. An optional attribute that can be added to the CAS payload is authenticationMethod
. This attribute will return one of two values:
Password:
the user completed one-factor authentication2Factor:
the user completed two-factor authentication
Payload Format
XML payload (the .../serviceValidate
response)
Successful Validation
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>netid</cas:user>
<cas:attributes>
<cas:tamuEduPersonUIN>#########</cas:tamuEduPersonUIN>
<cas:tamuEduPersonNetID>netid</cas:tamuEduPersonNetID>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
Failed Validation
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code="...">
Optional authentication failure message
</cas:authenticationFailure>
</cas:serviceResponse>
Successful Validation With Single-Factor
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>netid</cas:user>
<cas:attributes>
<cas:tamuEduPersonUIN>#########</cas:tamuEduPersonUIN>
<cas:tamuEduPersonNetID>netid</cas:tamuEduPersonNetID>
<cas:authenticationMethod>Password</cas:authenticationMethod>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
Successful Validation With Two-Factor
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>netid</cas:user>
<cas:attributes>
<cas:tamuEduPersonUIN>#########</cas:tamuEduPersonUIN>
<cas:tamuEduPersonNetID>netid</cas:tamuEduPersonNetID>
<cas:authenticationMethod>2Factor</cas:authenticationMethod>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
The calling application can also specify authn_method=mfa-duo
in the login URL, and then check for authnContextClass
with the value mfa-duo
in the extended attributes.
Session Life
Once a Subject has authenticated, the session is valid for 6 hours. A Subject can also end a session by closing all instances of the browser or requesting a logout.
Testing
Test your application with CAS by using the development URLs listed above. Separate requests must be made to register an application in the CAS development service registry and CAS production service registry. As an alternative to registering an application URL for testing with CAS, developers may use either of the following URLs:
- https://localhost
- https://localhost:8443
Registering Applications
CAS utilizes a service registry. Your application must be registered with CAS or CAS will not respond to any requests made by the application.
CAS authentication is considered a legacy protocol and should not be used for new production systems & services. If your system is constrained and can only support CAS (and not OIDC or SAML), reach out to identity@tamu.edu for assistance.
To register your application, send an email with the following information to identity@tamu.edu:
- Protocol: https is required.
- Application URL
- Application Type: Production or Development
- Technical contact name and email address (The technical contact must be an active staff employee of Texas A&M.)