Classy CAS
Single sign-on server based on the CAS protocol and implemented in Sinatra.
- Single sign-on server
- CAS protocol compliant
- Implemented with Sinatra
- Uses Redis
- Pairs great with OmniAuth CAS client
- Supports any CAS protocol compliant client from any language, framework, or platform (PHP, .NET, Java)
On the client side, ClassyCAS pairs up nicely with OmniAuth and it’s CAS client implementation . However clients are not only limited to either RubyonRails or Sinatra apps, because the server is built on the CAS protocol any compliant client in any language or framework which adheres to the protocol is supported, thus ClassyCAS is also well to suited to environments where Single sign-on is desired but where the ecosystem of applications is heterogeneous in terms of platforms.
Demo on Heroku
Username is “test”, password is “password”.
Quick Start Demo
- Download and install Redis:“http://code.google.com/p/redis/”
(Feel free to also use homebrew if you’re on a mac)
curl -O http://redis.googlecode.com/files/redis-2.0.4.tar.gz tar xvzf redis-2.0.4.tar.gz cd redis-2.0.4 make sudo cp redis-server redis-cli redis-benchmark /usr/local/bin
- Install the first rails sign-on client example
git clone [email protected]:Econify/classy_cas_client_example.git first_client cd first_client bundle install
- Install a second rails sign-on client example
git clone [email protected]:Econify/classy_cas_client_example.git second_client cd second_client bundle install
- Open the second rails sign-on client in a text editor and navigate to config/config.yml, edit the file to look like this:
development: #first or second site_name: second other_site_url: http://0.0.0.0:3000
- Install ClassyCAS
git clone git://github.com/Econify/ClassyCAS.git bundle install
- Run it all together
In your current terminal tab, start Redis in the background:
redis-server
- Start the first client: open up a new tab, navigate to the first client app directory and start the app
ruby script/server
- Same thing for the second client but this time assign it to a different port
ruby script/server -p 3001
- Open up yet another terminal tab (you should have four open now) and start ClassyCAS:
shotgun config.ru
- Navigate to the first app in your browser
- Click on the login link, and you’ll be redirected to ClassyCAS
- Login successfully with any username and password
- You should be redirect back to the first site’s protected area and you’ll see a picture of a cow.
- From the first site you’ll see a link to take you to the other site, you won’t see it but you are actually redirected by the second site to ClassyCAS for authentication (which does it via a session cookie) and then sent back to the second site where you’ll see a picture of an eagle.
- Click to logout from either site, you’ll be taken back to ClassyCAS, navigate back to both and you should see that you are logged out from both.
User Authentication
ClassyCAS is designed to a provide a vehicle for Single sign-on to multiple client apps and doesn’t concern itself with the intricacies of authentication. In other words, it’s up to you to roll your own authentication. For authentication ClassyCAS makes a call to a class called UserStore which has one method authenticate. It’s up to you how you want to implement authenticate, included in the same folder is an example of authenticate implemented to hit a rails app remotely through REST and getting it’s authentication from that app (which in this example does it with Devise.) You can do it many ways and here are some ideas:
1) Remotely via REST to a devise app 2) Locally via Datamapper or Activerecord 3.0 class. 3) Key value pairs in a config file 4) Whatever you can think of.
Logout
The CAS protocol doesn’t really specify whether logging you out of one client should log you out of all clients but we thought that made the most sense and so we wrote that into ClassyCAS. Upon logging out a user is redirect to ClassyCAS which renders non-visible iframes that log the user out of all the apps. There are two things to be aware of to make this work for you:
- The iframes are located in the login template, views/login.erb.
- You’ll need to modify the url’s of the iframes in the template to GET the logout method of the client app.
- There is a config for the client apps in config/classy_cas.yml that let’s tell ClassyCAS which clients need to be logged out.
Client Callback
After a user successfully logs into ClassyCAS they are redirected back to the client. The url they are redirected to must be sent to ClassyCAS in the form of a parameter that is part of the initial login redirect to ClassyCAS.
For example:
http://127.0.0.1:9393/login?service=http://0.0.0.0:3000/auth/cas/callback
This url is for the client demo app example, it could very be the href for a login link tag. A Callback url is the service parameter in this case http://0.0.0.0:3000/auth/cas/callback, this callback url can be anything you want simply by change the service parameter on the initial call to ClassyCAS.
What’s There
- Sinatra based. Classy.
- Uses Redis to store tickets. Fast!
- Lots of tests. The whole protocol isn’t there yet, but this test is a good start on an executable spec for CAS 1.0/2.0.
What’s Missing
- Proxy authentication.