HKUST ITSO AI Chatbot

Important reminder

Please do not disclose personal data such as your HKUST account number, staff/student ID or name in the chatbot. Information provided will be retained to enhance system performance.

By using the HKUST ITSO Chat service, you confirm that you have read, understood, and agreed to the Disclaimer

Log in to access additional information for your user group in addition to the publicly accessible content.

Send Icon
Central Authentication Server (CAS)
Central Authentication Server (CAS) supports CAS protocol which is a very simple authenticatoin protocol and requires only a very lightweight client library in the application side. In comparing with SAML, it has less security features but is adequate as a secure SSO platform for most web applications. ITSO recommends CAS for SSO integration with your application. The process of integrating CAS into your application is in brief:
 
  1. Register your application
  2. Configure a suitable CAS client
  3. Test and troubleshoot
Details

Type: Single Sign-On (SSO) Protocol

Purpose: Enables users to authenticate once and gain access to multiple applications without needing to log in again.

Flow:

  1. User requests access to an application.

  1. Redirected to the CAS server for authentication.

  1. Users enter their credentials to the CAS server.

  1. CAS returns a ticket to the application, granting access.

Use Cases: CAS is primarily used for single sign-on (SSO) in web applications.

Integration: CAS can be integrated with various applications using its ticket-based approach.

Available To
Staff, Students and Alumni (Selected Application)
Service Fee

Free

Service Hours

7×24

Getting Started

 

CAS Client Configuration

These are popular CAS client software libraries that are known to work with the CAS server and ITSO have supported them before:
 
There are CAS clients for other platforms (Python, Perl, Ruby, etc.) that are also likely to work with the CAS. In most cases it should suffice to plug in the login and ticket validation URLs into the configuration framework provided by the CAS client library. The below are all the endpoint URLs of CAS protocol.
 
  1. CAS login URL - https://cas.ust.hk/cas/login
  2. CAS v2 ticket validation URL - https://cas.ust.hk/cas/serviceValidate
  3. CAS v3 ticket validation URL - https://cas.ust.hk/cas/p3/serviceValidate
  4. SAML 1.1 ticket validation URL - https://cas.ust.hk/cas/samlValidate
  5. CAS logout URL - https://cas.ust.hk/cas/logout
  6. CAS proxy ticket request URL - https://cas.ust.hk/cas/proxy
  7. CAS proxy ticket validation URL - https://cas.ust.hk/cas/proxyValidate
  8. CAS v3 proxy ticket validation URL - https://cas.ust.hk/cas/p3/proxyValidate
CAS clients need to connect to CAS server via SSL for ticket validation. In most cases, if CAS clients can use operating system managed CA certificates store, no configuration is required. Otherwise, you have to configure the CA certificate trust store in the CAS client.  The CA certificate of CAS server certificate can be downloaded here.
 
There are examples in configuring these CAS client libraries. If using for development and testing tier, replace the host names with castest.ust.hk accordingly.

Attribute Release

Upon successful authentication of an user, you can choose to retrieve attributes of the user.  CAS server can release these attributes for CAS applications.

CAS Proxy Requirements

A request for a CAS proxy-granting ticket represents a request to perform delegated authentication, which is a substantial increase in privileges beyond the standard service ticket. Where a service ticket represents access to one service, a proxy-granting ticket represents the ability to grant access to many services. Proxying service must be requested separately and meet certain security control requirements.
 

 

Learn More

Support

General Enquiries cchelp@ust.hk
Suggestions & Complaints cclisten@ust.hk
Serviceline +852-2358-6200