Step-by-Step Guide to Building CAS Single Sign-On (SSO) with Spring Boot

Single Sign-On (SSO) is a popular solution that allows users to log in once and access multiple trusted applications; CAS (Central Authentication Service) is an open‑source implementation of SSO originally created by Yale University.

CAS offers features such as being an open‑source enterprise‑grade SSO solution, a standalone server component, and client support for many platforms including Java, .Net, PHP, Ruby, and more.

The architecture consists of two parts: CAS Server, which handles authentication, and CAS Client, which protects resources and redirects unauthenticated requests to the server.

1. Overview

1.1 What is SSO?

SSO enables users to log in once and access all mutually trusted applications without repeated authentication.

1.2 What is CAS?

CAS provides a reliable SSO method for web applications and consists of a server and client component.

Official site: https://www.apereo.org/projects/cas

2. CAS Server Setup

2.1 Download CAS Server

Download version 5.3 from the overlay template:

cas-overlay-template-5.3.zip

After extracting, run:

build.cmd package

Deploy the generated WAR file to Tomcat's webapps directory and start Tomcat.

Access URLs:

http://localhost:8080/cas or http://localhost:8080/cas/login

Default credentials are defined in \webapps\cas\WEB-INF\classes\application.properties (username: casuser , password: Mellon ).

2.2 Disable HTTPS (optional for development)

Edit \cas\WEB-INF\classes\application.properties and add:

cas.tgc.secure=false
cas.serviceRegistry.initFromJson=true

Modify \cas\WEB-INF\classes\services\HTTPSandIMAPS-10000001.json to allow HTTP:

"serviceId" : "^(https|http|imaps)://.*"

3. CAS Client Configuration

Add the following dependency to pom.xml :

<dependency>
  <groupId>net.unicon.cas</groupId>
  <artifactId>cas-client-autoconfig-support</artifactId>
  <version>2.1.0-GA</version>
</dependency>

Configure application.yml for each client. Example for client 1 (port 9010):

server:
  port: 9010
cas:
  server-url-prefix: http://localhost:8080/cas
  server-login-url: http://localhost:8080/cas/login
  client-host-url: http://localhost:9010
  validation-type: cas3

Example for client 2 (port 9011):

server:
  port: 9011
cas:
  server-url-prefix: http://localhost:8080/cas
  server-login-url: http://localhost:8080/cas/login
  client-host-url: http://localhost:9011
  validation-type: cas3

In the Spring Boot main class add @EnableCasClient . Create test controllers:

import io.swagger.annotations.Api;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@Api(description = "SSO-CAS test")
public class TestController {
    @GetMapping("/test1")
    public String test1() {
        return "test1....";
    }
}

Repeat for client 2 with a different endpoint (e.g., /test2 ).

4. Testing the SSO Flow

Start the CAS Server, then start both client applications. Access http://localhost:9010/test1 – you will be redirected to the CAS login page. After logging in (e.g., with casuser/Mellon ), you are redirected back to the client.

Now access http://localhost:9011/test2 in the same browser session; you will be logged in automatically without re‑entering credentials, demonstrating the SSO behavior.

When you log out from one client, the session is terminated across all CAS‑protected applications.