Single Sign-On Protocol CAS, OAuth, OIDC, SAML

Before introducing the specific protocol, it is necessary to explain the difference between "Authentication" and "Authorization".

In other words, when a user logs in to the application system, the system needs to authenticate the user's identity first, and then authorize based on the user's identity. Authentication and authorization need to be used together to allow users to actually log in and use the application system.

Central Authentication Service, referred to as CAS, is a common B/S architecture SSO protocol. Like any other SSO protocol, users only need to log in once and do not need to log in again to access other applications.

As the name suggests, CAS is a service only used for Authentication. It is different from the OAuth/OIDC protocol and cannot be used as an Authorization protocol.

The current CAS protocol includes CAS 1.0, CAS2.0, and CAS3.0 versions. The authentication processes of these three versions are basically similar.

The CAS certification process includes several participants:

The certification process is roughly:

Note: CAS 1.0 is a very simple and crude protocol. In 2.0 , in version 3.0, the verification results of Service Ticket are all in XML format, and a proxy mode is introduced (not discussed in depth in this article).

For the detailed standard definition of the CAS protocol, please refer to:

/specs/openid-connect-core-1_0.html

The above briefly introduces the mainstream ones. There are several SSO protocols. In essence, they are similar. They are all mechanisms based on central trust. Service providers and identity providers exchange user information through mutual trust. However, the details of information exchange in each protocol are different, or the concepts are somewhat different.

Finally, a simple comparison table is used to summarize the key contents of this article: