Contents
- Overview
- Login Scenarios
- Direct Login
- Redirected to Login by Service
- Without being logged in already
- With being logged in already
- Being forced to re-authenticate by service
- Redirected to Login by CAS Second-level Authentication
- Without being logged in already
- With being logged in already
- Logout Scenarios
Overview
This document lists all of the ways a user can login to and logout of CAS.
Login Scenarios
The following are various ways a user can log into CAS.
Direct Login
Everyone has the ability to enter a CAS URL such as: https://auth.berkeley.edu/cas/login?service=https%3A%2F%2Fbpr.calnet.ber... into the browser's URL address field. This will go first to the CAS server, and, since renew=true is used, the login form will be presented. Once logged in with CAS, in this case the CAM welcome page appears.
Redirected to Login by Service
By far the most common login scenario, the browser is redirected to CAS while trying to access some service.
Without being logged in already
If the browser is not already logged into CAS, it will be stopped at the login form where the CalNet credentials must be entered. After successful authentication, the browser is redirected to the service with a CAS service ticket.
With being logged in already
If the browser is already logged into CAS, the browser will be instantly redirected back to the service with a CAS service ticket. This redirect happens in the background with no visible indication that the browser was sent to the CAS server to authenticate.
Being forced to re-authenticate by service
If the browser is already logged into CAS but the service requires re-authentication, then the CalNet login credentials will again be requested.
Logout Scenarios
The following are various ways a user can log out of CAS.
Direct Logout
Anyone can go directly to https://auth.berkeley.edu/cas/logout to log out of CAS.
Redirected to Logout by Service
By far the most common logout scenario, the browser is redirected to the CAS logout URL by a service after the service does a local logout and terminates local session state.
TGC Expires or Idle Session Timeout
Another type of logout happens when the browser's Ticket Granting Cookie (TGC) expires. The TGC lifetime for CAS at UC Berkeley is 10 hours, and after 10 hours the browser will have to re-authenticate to acquire a new TGC. If a TGC expires, the browser will display the login form when accessing a service. A related logout scenario occurs when the CAS idle session timeout of 2 hours expires even if the TGC is still valid. This happens when there are no further requests for Service Tickets within the timeout period.