I wonder if I should use the CAS protocol or OAuth + some authentication provider for single sign-on.
Example Scenario:
- A User tries to access a protected resource, but is not authenticated.
- The application redirects the user to the SSO server.
- If beeing authenticated the user gets a token from the SSO server.
- The SSO redirects to the original application.
- The original application checks the token against the SSO server.
- If the token is ok, access will be allowed and the application knows of the user id.
- The user performs a log-out and is logged out from all connected application at the same time (single sign-out).
As far as I understand that is exactly what was CAS invented for. CAS clients have to implement the CAS protocol to use the authentication service. Now I'm wondering about to use CAS or OAuth at the client (consumer) site. Is OAuth a replacement for that part of CAS? Should OAuth as a new de-facto standard be preferred? Is there an easy to use (not Sun OpenSSO!) replacement for the authentication part of CAS supporting different methods like username/password, OpenID, TLS certifactes ...?
Context:
- Different applications should rely on the authentication of the SSO server and should use something session-like.
- The applications can be GUI web applications or (REST) serivces.
- The SSO server must be provide a user id, which is necessary to get more information about the user like roles, email and so on from a central user information store.
- Single Sign-out should be possible.
- Most clients are written in Java or PHP.
I've just discovered WRAP, which could become the OAuth successor. It is a new protocol specified by Microsoft, Google and Yahoo.
Addendum
I've learned that OAuth was not designed for authentication even it could be used to implement SSO, but only together with a SSO service like OpenID.
OpenID seems to me to be the "new CAS". CAS has some features OpenID misses (like single sign-out), but it should not be to hard to add the missing parts in a particular scenario. I think OpenID has broad acceptance and it is better to integrate OpenID into applications or application servers. I know that CAS also supports OpenID, but I think CAS is dispensable with OpenID.