Classy CAS

Single sign-on server based on the CAS protocol and implemented in Sinatra.

On the client side, ClassyCAS pairs up nicely with OmniAuth and it’s CAS client implementation . However clients are not only limited to either RubyonRails or Sinatra apps, because the server is built on the CAS protocol any compliant client in any language or framework which adheres to the protocol is supported, thus ClassyCAS is also well to suited to environments where Single sign-on is desired but where the ecosystem of applications is heterogeneous in terms of platforms.

Demo on Heroku

Username is “test”, password is “password”.

Quick Start Demo

  1. Download and install Redis:“http://code.google.com/p/redis/” (Feel free to also use homebrew if you’re on a mac)
    
    	 curl -O http://redis.googlecode.com/files/redis-2.0.4.tar.gz
    	 tar xvzf redis-2.0.4.tar.gz
    	 cd redis-2.0.4
    	 make
    	 sudo cp redis-server redis-cli redis-benchmark /usr/local/bin
    
  2. Install the first rails sign-on client example
    
    	git clone [email protected]:Econify/classy_cas_client_example.git  first_client
    	cd first_client
    	bundle install
    
  3. Install a second rails sign-on client example
    
    	git clone [email protected]:Econify/classy_cas_client_example.git second_client
    	cd second_client
    	bundle install
    
  4. Open the second rails sign-on client in a text editor and navigate to config/config.yml, edit the file to look like this:
    
    	development:
    	    #first or second
    	    site_name: second
    	    other_site_url: http://0.0.0.0:3000
  5. Install ClassyCAS
    
    	git clone git://github.com/Econify/ClassyCAS.git
    	bundle install
    
  6. Run it all together In your current terminal tab, start Redis in the background:
    
    	redis-server
    
  7. Start the first client: open up a new tab, navigate to the first client app directory and start the app
    
    	ruby script/server 
    
  8. Same thing for the second client but this time assign it to a different port
    
    	ruby script/server -p 3001
    
  9. Open up yet another terminal tab (you should have four open now) and start ClassyCAS:
    
    	shotgun config.ru
    
  1. Navigate to the first app in your browser
  2. Click on the login link, and you’ll be redirected to ClassyCAS
  3. Login successfully with any username and password
  4. You should be redirect back to the first site’s protected area and you’ll see a picture of a cow.
  5. From the first site you’ll see a link to take you to the other site, you won’t see it but you are actually redirected by the second site to ClassyCAS for authentication (which does it via a session cookie) and then sent back to the second site where you’ll see a picture of an eagle.
  6. Click to logout from either site, you’ll be taken back to ClassyCAS, navigate back to both and you should see that you are logged out from both.

User Authentication

ClassyCAS is designed to a provide a vehicle for Single sign-on to multiple client apps and doesn’t concern itself with the intricacies of authentication. In other words, it’s up to you to roll your own authentication. For authentication ClassyCAS makes a call to a class called UserStore which has one method authenticate. It’s up to you how you want to implement authenticate, included in the same folder is an example of authenticate implemented to hit a rails app remotely through REST and getting it’s authentication from that app (which in this example does it with Devise.) You can do it many ways and here are some ideas:

1) Remotely via REST to a devise app 2) Locally via Datamapper or Activerecord 3.0 class. 3) Key value pairs in a config file 4) Whatever you can think of.

Logout

The CAS protocol doesn’t really specify whether logging you out of one client should log you out of all clients but we thought that made the most sense and so we wrote that into ClassyCAS. Upon logging out a user is redirect to ClassyCAS which renders non-visible iframes that log the user out of all the apps. There are two things to be aware of to make this work for you:

  1. The iframes are located in the login template, views/login.erb.
  2. You’ll need to modify the url’s of the iframes in the template to GET the logout method of the client app.
  3. There is a config for the client apps in config/classy_cas.yml that let’s tell ClassyCAS which clients need to be logged out.

Client Callback

After a user successfully logs into ClassyCAS they are redirected back to the client. The url they are redirected to must be sent to ClassyCAS in the form of a parameter that is part of the initial login redirect to ClassyCAS.

For example:


http://127.0.0.1:9393/login?service=http://0.0.0.0:3000/auth/cas/callback

This url is for the client demo app example, it could very be the href for a login link tag. A Callback url is the service parameter in this case http://0.0.0.0:3000/auth/cas/callback, this callback url can be anything you want simply by change the service parameter on the initial call to ClassyCAS.

What’s There

  • Sinatra based. Classy.
  • Uses Redis to store tickets. Fast!
  • Lots of tests. The whole protocol isn’t there yet, but this test is a good start on an executable spec for CAS 1.0/2.0.

What’s Missing

  • Proxy authentication.

Resources