Technical Requirements and Information

Texas A&M CAS Version

The CAS 3.0 protocol is supported by Texas A&M's CAS service.

Texas A&M CAS Server

CAS Payload

CAS returns user information in either plain text or XML. To receive the payload in plain text, your application should call the .../validate server validation URL. To receive the payload in XML, your application should call the .../serviceValidate server validation URL. Although there are two different .../serviceValidate server validation URLs for CAS 2.0 and CAS 3.0, they will return the exact same payload. While CAS had possessed the <cas:attributes> element to return additional elements in the payload in CAS 2.0, it was not formally documented in the CAS protocol until the CAS 3.0 protocol was published.

Payload Content

CAS allows the payload to be customized. Texas A&M's CAS deployment takes advantage of this feature to return both the user's UIN and NetID. No other customizations have been made to the payload to ensure that 3rd party CAS-enabled applications will not require modifications to work with Texas A&M's CAS implementation. An optional attribute that can be added to the CAS payload is authenticationMethod. This attribute will return one of two values:

• Password: the user completed one-factor authentication
• 2Factor: the user completed two-factor authentication

Payload Format

XML payload (the .../serviceValidate response)

Successful Validation

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
	<cas:authenticationSuccess>
		<cas:user>netid</cas:user>
		<cas:attributes>
			<cas:tamuEduPersonUIN>#########</cas:tamuEduPersonUIN>
			<cas:tamuEduPersonNetID>netid</cas:tamuEduPersonNetID>
		</cas:attributes>
	</cas:authenticationSuccess>
</cas:serviceResponse>  

Failed Validation

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
	<cas:authenticationFailure code="...">
	       Optional authentication failure message     
	</cas:authenticationFailure>
</cas:serviceResponse>    

Successful Validation With Single-Factor

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
	<cas:authenticationSuccess>
		<cas:user>netid</cas:user>
			<cas:attributes>
				<cas:tamuEduPersonUIN>#########</cas:tamuEduPersonUIN>   
				<cas:tamuEduPersonNetID>netid</cas:tamuEduPersonNetID>   
			<cas:authenticationMethod>Password</cas:authenticationMethod>
		</cas:attributes>
	</cas:authenticationSuccess>
</cas:serviceResponse>  

Successful Validation With Two-Factor

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
	<cas:authenticationSuccess>
		<cas:user>netid</cas:user>
		<cas:attributes>
			<cas:tamuEduPersonUIN>#########</cas:tamuEduPersonUIN>
			<cas:tamuEduPersonNetID>netid</cas:tamuEduPersonNetID>
			<cas:authenticationMethod>2Factor</cas:authenticationMethod>
		</cas:attributes>
	</cas:authenticationSuccess>
</cas:serviceResponse>  

The calling application can also specify authn_method=mfa-duo in the login URL, and then check for authnContextClass with the value mfa-duo in the extended attributes.

Session Life

Once a Subject has authenticated, the session is valid for 6 hours. A Subject can also end a session by closing all instances of the browser or requesting a logout.

Testing

Test your application with CAS by using the development URLs listed above. Separate requests must be made to register an application in the CAS development service registry and CAS production service registry. As an alternative to registering an application URL for testing with CAS, developers may use either of the following URLs:

• https://localhost
• https://localhost:8443

Registering Applications

CAS utilizes a service registry. Your application must be registered with CAS or CAS will not respond to any requests made by the application.

To register your application, send an email with the following information to identity@tamu.edu:

• Protocol: https is required.
• Application URL
• Application Type: Production or Development
• Technical contact name and email address (The technical contact must be an active staff employee of Texas A&M.)