Step-by-Step Guide to Setting Up CAS Single Sign-On (SSO) with Server and Client Configuration

Single Sign‑On (SSO) allows a user to log in once and access multiple trusted applications without re‑authenticating. CAS (Central Authentication Service) is an open‑source SSO solution originally created at Yale University, consisting of a CAS Server and CAS Clients.

Key features of CAS include:

Open‑source enterprise‑grade SSO solution.

CAS Server can be deployed independently for web applications.

CAS Client supports many platforms such as Java, .NET, PHP, Perl, Ruby, etc.

The typical architecture comprises a CAS Server handling authentication and multiple CAS Clients (the protected applications) that redirect unauthenticated requests to the server.

Development environment requirements : JDK 1.8+, Maven 3.6, IntelliJ IDEA, Tomcat 9.0+, Windows 10.

CAS Server setup :

Download the overlay package version 5.3 from https://github.com/apereo/cas-overlay-template/tree/5.3 .

Unzip the package ( cas-overlay-template-5.3.zip ) and build it with build.cmd package .

Deploy the generated WAR file to Tomcat's webapps directory and start Tomcat.

Access the server at http://localhost:8080/cas or http://localhost:8080/cas/login . Default credentials are casuser / Mellon (found in \webapps\cas\WEB-INF\classes\application.properties ).

Disabling HTTPS (optional for development) :

Modify \cas\WEB-INF\classes\application.properties to set:

cas.tgc.secure=false
cas.serviceRegistry.initFromJson=true

Also edit \cas\WEB-INF\classes\services\HTTPSandIMAPS-10000001.json to allow http and imaps protocols:

"serviceId": "^(https|http|imaps)://.*"

CAS Client configuration (example projects) :

Include the following Maven dependency in pom.xml :

net.unicon.cas
cas-client-autoconfig-support
2.1.0-GA

Configure application.yml for each client (example for client 1 on port 9010):

server:
  port: 9010
cas:
  server-url-prefix: http://localhost:8080/cas
  server-login-url: http://localhost:8080/cas/login
  client-host-url: http://localhost:9010
  validation-type: cas3

Annotate the Spring Boot main class with @EnableCasClient and add a test controller:

import io.swagger.annotations.Api;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@Api(description = "SSO‑CAS test")
public class TestController {
    @GetMapping("/test1")
    public String test1() {
        return "test1....";
    }
}

Repeat similar configuration for client 2 (port 9011) with its own application.yml and test controller.

Testing the SSO flow :

Start the CAS Server in Tomcat.

Start both client applications.

Visit http://localhost:9010/test1 ; you will be redirected to the CAS login page.

Open http://localhost:9011/test2 in another tab; after logging in on one client, the authentication ticket is shared, allowing access to the other client without re‑login.

The screenshots in the original article illustrate the login page, redirection, and successful access after SSO.

In summary, the guide demonstrates how to deploy a CAS Server, configure it for HTTP, set up multiple CAS Clients with Spring Boot, and verify that Single Sign‑On works across different applications.