Advantages of Jasig CAS

I wrote a few words about the advantages of Jasig CAS recently in support of a sales proposal. I figure these words might do some good out in public, so I'm posting them (edited) here.

Security

Jasig CAS centralizes the authentication user experience and credential validation service whereby users authenticate to web applications, reducing the proliferation of user login experiences. The CAS authentication protocol does not require applications making use of CAS for authentication to touch the user's password, reducing the opportunities for exposure of passwords in the case of security-compromised applications. However, CAS does optionally selectively and securely release the end user's password just-in-time to specific applications that you deem appropriate and necessary. For example, your enterprise portal may require the end user's password to itself authenticate to a backing store of email or calendar information in order to present this in the portal. Likewise, the current best practice for CASification of Outlook Web Access involves a back-end integration to just-in-time release the password from CAS to Outlook Web Access (without this password passing through the user's browser after their initial login directly with CAS).

See also a short YouTube video about CAS focusing on the security advantages of reigning in password proliferation.

CAS implements reduced exposure for user credentials on the Web, but is no more restrictive in tightening the exposure of those credentials than your enterprise integration requirements can support.

User Convenience

Jasig CAS centralizes the authentication user experience such that users need only log in once in a browser session and need not again present their credentials to authenticate to additional participating web applications. This improves user satisfaction and reduces user authentication fatique (the temptation to reflexively provide institutional credentials to any page that prompts for them in a hurry to get to the desired application). However, optionally, your Web applications can rely upon CAS for authentication while opting-out of the convenience of single sign on, requiring that the user again present credentials specifically to access that application.

CAS implements a convenient single sign-on user experience, but no more convenient than you are institutionally comfortable with, per application.

Free and Open Source Software

Jasig CAS is free and open source software (historically under the highly-permissive New BSD license and most recently under the widely-adopted and highly-acclaimed similarly permissive Apache 2.0 license) built by and for higher education originally by Yale University and now developed and maintained under the coordination of Jasig, a non profit organization with higher education institutions as its primary membership.

There are no license fees to pay for any Jasig CAS product. All Jasig CAS software is free and open source software. Unicon doesn't sell a proprietary fork or product built on Jasig CAS – our position is that the open source software as vended by Jasig is the appropriate software to be adopting and servicing so we provide all our commercially offered services for CAS and technical support for CAS directly on and for that free and open source software. You need not compromise any of your free software freedoms in order to consume Unicon's services and support.

Jasig sponsors conferences with significant CAS participant and presentation presence. Jasig also runs active mailing lists for discussion, peer support, and collaboration on CAS maintenance and development.

Unicon is a Jasig Partner and a Jasig CAS Solutions Provider. Unicon participates directly in Jasig CAS open source software development and in the Jasig community. Unicon's innovative Cooperative Support for CAS technical support offering is "cooperative" in that it is designed to cooperate directly with the Jasig CAS community and open source software development process in providing support and sustainability to the program subscribers.

Unicon commercially offers consulting services and technical support for CAS. CAS adopters are able to make appropriate tradeoffs between reliance upon commercial assistance, reliance on internal staff, and reliance upon the peer community of adopters, all while retaining the full freedoms afforded by Jasig's open source licensing model.

Highly customizable

Jasig CAS is not merely free and open source software affording adopters the permission to modify it in any way they like. Jasig CAS is also designed to offer pluggable, flexible, maintainable APIs and source change management processes making customization of CAS feasible and sustainable. Through its effective use of best practices build technology (including Maven) and widely adopted open source development frameworks (notably the Spring Framework and Spring Web Flow), CAS provides a technology platform on which Unicon and others can productively implement extensions, plugins, and customizations.

See also this recorded Jasig conference presentation on Extending CAS using Spring Web Flow.

Portal-appropriate features

CAS offers optional advanced features that are particularly portal-appropriate, including an extension module supporting secure release of end user credentials to selected applications and features for delegated (n-tier) authentication.

ClearPass enables the CAS server to securely and selectively release the end user's password as remembered in-memory from the user's login to the CAS server. In most cases it is not appropriate to release this password, since applications need the password only to authenticate the user and CAS accomplishes assuring the application of user authentication without requiring the application to see the user's password. However, some applications need the end user's password for purposes other than immediate user authentication, e.g. for presentation to backing services that require the user's password and for implementing a CAS login user experience while continuing to rely upon an application's existing form-based authentication implementation.

See also this recorded Jasig conference presentation on ClearPass.

CAS also offers support for delegated (n-tier) authentication without password replay using its "proxy tickets" feature.

Unicon's Services

I see Unicon's professional services and ongoing technical support as additional valuable advantages of the Jasig CAS software. Unicon's services and support allow adopters to consume as much help as they like from a "vendor" while retaining full freedoms over their single sign-on software and resulting solution.