Instituto Superior Técnico

Serviços de Informática

Unified authentication system

The system used in Técnico is based on the Centralized Authentication System, or CAS, from Yale University. CAS is an enterprise-class single-sign-on (SSO) authentication solution for web services, including websites and web applications.

This system allows the use of multiple communication channels of the same platform that use different authentication mechanisms and that wish to use the same authorative source of trust, in which the user authenticates univocally, not having to repeat the process for each specific channel or service on the same platform.

There are several solutions to allow the use and access to web services written in different languages or certain frameworks that use CAS, which translates into a rapid implementation of specific SSO solutions by programmers. These reasons led to adoption and support of this system in Técnico’s infrastructure.

Authorization

Use of the CAS system is only allowed to previously authorized servers. We are replacing this system with SAML or OAuth2, no new websites should use CAS. For web sites we recommend the use of the Fenixedu API as described here.

Applications for authorization should be sent to si@tecnico.ulisboa.pt with the following data:

  • Service name, which will appear on the central logout page
  • Login URL, ie the url that will be sent to the CAS server in the “service” parameter
  • Logout URL, the url that is called to invalidate the application session. This url should only destroy the session and should not call the CAS library logout function.

Operation

The CAS system allows any server in the tecnico.ulisboa.pt domain to authenticate Técnico’s users without knowing or having to directly request the access credentials (which would translate into a security breach).

Briefly, the mechanism works as follows:

  1. There is a central authentication machine at the address id.tecnico.ulisboa.pt, where security policies are defined and that ensures the integrity of access credentials, to which all authentication requests are redirected.
  2. The same central machine, in case of authentication is successful, provides the browser with an authentication ticket for the session.
  3. Finally, this ticket has a time validity during which it guarantees the authenticity of the access, allowing access to the authentication service without the need to circulate the authentication credentials by servers external to the SI.
The user must refrain from using the credentials in any other address than https://id.tecnico.ulisboa.pt/, since it could be a probable attempt to usurpation of credentials or phishing. If this happens, you should contact SI.

It is suggested to consult specific information on the CAS project: