Since CAS is a solution for single sign-on (SSO), applications that implement CAS must take security seriously. Once a browser logs into CAS, that browser can enter new applications without providing CalNet credentials again, which increases the risk of people inadvertently leaving themselves logged in to multiple applications, especially at shared workstations and public kiosks. If your department supports public kiosks, please see campus Kiosk Guidelines.
The CalNet Team, in consultation with campus developers, developed the following terms of service for using CAS. These terms of service have been reviewed and endorsed by the campus Information Security Office (ISO).
All applications which are used by the general campus population and use CalNet's Central Authentication Service must adhere to these standards. If the CalNet team identifies applications which are out of compliance with these standards, application, we will notify application owners and allow 2 months for them to come into compliance. Failure to comply with these terms may result in removal of the application from the CAS service registry.
1. Applications/Websites Must Register to Use CAS
In order for an application or any website URL to be protected by CAS Authentication, it must be registered. Before you can use CAS in test or production, you need to submit a CAS Registration.
2. Login/Logout Standards
- Applications must have a local session, i.e., once a user has authenticated with CAS and has presented an application with a service ticket, the application should create a local session so that each new request to the application does not go against CAS. CAS is for authentication only; it is not a security framework for a web application. Please see the Web Flow Diagram for an in-depth view of how this should work. The exception to this is if a user is requesting a static resource that has been protected by some CASified code. In this case, there is no "application" and no means of keeping track of a user's state. In this instance, it is ok for the application to direct the user to CAS for each request for the resource.
- Applications must use "session cookies" (if cookies are used) for local session state. A "session cookie" is a cookie that gets removed from the browser when the browser is closed or stops running.
- The application must present a "logout" option which, when exercised, logs the user out of CAS completely.
- The logout button should be labelled "CalNet Logout" to help the user understand that clicking the button will log him/her out of CAS, not just the local application.
- Application owners should implement global logout wherever possible.
- Applications that do not support global logout should set inactivity timeouts for local application sessions to no more than 30 minutes.
- Applications that provide access to data with high confidentiality requirements should set a shorter inactivity timeout (maximum 15 minutes).