BestHub
Sign in
Information Security 9 min read

Step‑by‑Step Guide to Building a CAS‑Based Single Sign‑On (SSO) System with Server and Client Configuration

This article provides a comprehensive tutorial on implementing Single Sign‑On using the open‑source CAS solution, covering the concepts of SSO and CAS, required development environment, server‑side deployment, client integration with Spring Boot, configuration details, and a complete end‑to‑end testing workflow.

Top Architect
Top Architect
Top Architect
Step‑by‑Step Guide to Building a CAS‑Based Single Sign‑On (SSO) System with Server and Client Configuration

1. Overview

Single Sign‑On (SSO) allows a user to log in once and gain access to multiple trusted applications without re‑authenticating. CAS (Central Authentication Service) is an open‑source SSO solution originally created at Yale University and now maintained by the Apereo community.

1.1 What is SSO?

SSO enables users to authenticate a single time and then access all applications that trust the SSO provider, simplifying user experience and reducing credential management overhead.

1.2 What is CAS?

CAS provides a reliable SSO mechanism consisting of a server component and client libraries. It supports a wide range of client platforms (Java, .NET, PHP, Ruby, etc.) and can be deployed independently.

Official site: https://www.apereo.org/projects/cas

1.3 CAS Features

Open‑source enterprise‑grade SSO solution.

CAS Server can be deployed as a standalone web application.

CAS Client supports many languages and frameworks (Java, .NET, PHP, Perl, Ruby, etc.).

The architecture consists of two parts: CAS Server and CAS Client.

2. CAS Server Setup

2.1 Download Server Package

Download the 5.3 overlay template from the official repository:

Download URL: https://github.com/apereo/cas-overlay-template/tree/5.3

Compressed file: cas-overlay-template-5.3.zip After extracting, build the project with: build.cmd package The generated WAR file can be found in the target directory.

2.2 Deploy and Test

Copy the WAR to Tomcat's webapps folder and start Tomcat.

Access URLs: http://localhost:8080/cas or http://localhost:8080/cas/login Default credentials are defined in \webapps\cas\WEB-INF\classes\application.properties (username: casuser, password: Mellon).

2.3 Server Configuration

2.3.1 Disable HTTPS (use HTTP for development)

Modify \cas\WEB-INF\classes\application.properties to add:

cas.tgc.secure=false<br/>cas.serviceRegistry.initFromJson=true

Update the service definition file \cas\WEB-INF\classes\services\HTTPSandIMAPS-10000001.json to allow HTTP/HTTPS/IMAPS URLs:

"serviceId" : "^(https|http|imaps)://.*"

3. CAS Client Configuration (Spring Boot Projects)

3.1 Maven Dependency

<dependency>
    <groupId>net.unicon.cas</groupId>
    <artifactId>cas-client-autoconfig-support</artifactId>
    <version>2.1.0-GA</version>
</dependency>

3.2 application.yml (Client 1)

server:
  port: 9010
cas:
  server-url-prefix: http://localhost:8080/cas
  server-login-url: http://localhost:8080/cas/login
  client-host-url: http://localhost:9010
  validation-type: cas3

3.3 application.yml (Client 2)

server:
  port: 9011
cas:
  server-url-prefix: http://localhost:8080/cas
  server-login-url: http://localhost:8080/cas/login
  client-host-url: http://localhost:9011
  validation-type: cas3

Both Spring Boot applications should enable CAS support with the @EnableCasClient annotation on the main class.

3.4 Test Controllers

Client 1 controller:

import io.swagger.annotations.Api;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@Api(description = "SSO‑CAS test")
public class TestController {
    @GetMapping("/test1")
    public String test1() {
        return "test1....";
    }
}

Client 2 controller (similar, mapping to /test2).

4. End‑to‑End Testing

Start Tomcat with the CAS Server deployed.

Start both Spring Boot clients (ports 9010 and 9011).

Open http://localhost:9010/test1 in a browser – you will be redirected to the CAS login page.

Open http://localhost:9011/test2 – also redirected to login.

Log in on one client (e.g., client 2). After successful authentication, CAS issues a ticket and redirects back to the client.

Now revisit the other client URL; because the SSO session is already established, you will access the protected resource without logging in again.

This demonstrates a complete SSO workflow using CAS.

5. Conclusion

The article walks through the entire process of setting up a CAS server, configuring two independent Spring Boot clients, and verifying that a single login grants access to both applications, illustrating the practical use of SSO in enterprise environments.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

JavamavenSpring BootAuthenticationCASTomcatSSO
Top Architect
Written by

Top Architect

Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment