by James Marca
A node.js module for CAS validation #
This talk will present our node.js module for leveraging a CAS single
signon service. The module is open source and available on GitHub, and
we would love to see wider adoption and use of the module. Node.js is a
new-ish server platform that is gaining in popularity because it is
We needed to write our own node.js module to integrate with the
[Express] (http://expressjs.com/) web framework because at the time none
of the other available modules enabled single sign off. We started with
a simple service that verified whether a user was logged in to the CAS
server, and gradually expanded its functionality.
While the focus of the presentation will be on describing our CAS
client, a broader goal is to introduce node.js to an audience who may be
CAS has a wonderfully simply protocol for delegated authentication and single-signon for browser based access to web applications. However, the same protocol may stymie the non-browser and programmatic clients commonly found in RESTful architectures. The CAS login form is fine for humans behind a browser, but programmatic clients and human users using non-browser interfaces such as a CLI (Command Line Interface) and, to some degree, AJAX clients will face difficulties. Such clients may avail themselves of the CAS RESTful login interface, but only if they know in advance to exactly when pre-authenticate; otherwise they will be unexpectedly and unwittingly be forwarded to the CAS login screen and fail.
Our approach transforms some CAS protocol 200 and 302 responses to 401 responses and makes navigating CAS protected REST interfaces a cinch. We prove this with a demonstration: accessing a CAS-protected REST endpoint with a single cURL command.
Fully understanding session management, and effective logout strategies, when using SSO services (e.g. CAS, Shibboleth) can be difficult, particularly when increasing the complexity by layering one SSO service over another (e.g. Shibboleth relying on CAS for authentication). The behavior of various browsers regarding session cookies also must be considered. Questions frequently arise on the support lists for both CAS and Shibboleth around session management and logout. This session will explore the concepts around, existing functionality for, and good practices in tracking and terminating single sign-on sessions, including timeouts and logout, in CAS and Shibboleth. Logout approaches to be discussed include single logout, browser closing, operating system session ending, hard drive reformatting, and high atmosphere electromagnetic pulses! (The latter aren't best practices, but current out-of-the-box browser behaviors around secure session management may drive you to consider it.)
2nd–7th June 2013