Architectural design

The image shows how a CAS application server using Ubuntu 16.04 Linux distribution is constructed and how third-party web-systems, which use CAS for authenticating their users, communicate over a secure TLS connection with a CAS application server. Securing the connections between a CAS application server and the OAuth2 clients by TLS provides three primary services which help ensure the safety and security of the data exchanged:

  • Authentication enables each party to identify the other party’s identity.
  • Data is encrypted while being transmitted between the user agent and the server in order to prevent it from being read and interpreted by unauthorized parties.
  • TLS ensures that between encrypting, transmitting, and decrypting the data no information is lost, damaged, tampered with, or falsified.

All CAS components are installed in one single server (in the image described as CAS application server) where a HAProxy web-server is used for reverse proxying incoming HTTP requests to the server for proper applications. Having a reverse proxy protects the CAS application server from probing and attacks, and keeps the CAS application server’s infrastructure hidden.

The CAS business logic is set out in the CAS backend app which is created with JAVA Spring Boot framework 2.0. Only this application has access to the database where all information required by CAS is stored. For database engine PostgreSQL, version 9.5 is used. The CAS backend app also communicates with an instance of ElasticSearch. ElasticSearch is used for statistics so information that is later used for statistical purposes is being sent to it.

The CAS frontend app is a user interface for users with admin roles who need to configure CAS settings. The app is developed in Angular v4 and located in: https://eid.eregistrations.org/login. Since the CAS frontend app also uses CAS for authenticating its users, the app is configured as one of CAS’s OAuth2 clients in the CAS database.

Third-party apps using CAS for authenticating their users follow the OAuth2 authorization framework flows to communicate with the CAS backend. Each of these apps needs to be configured properly as a CAS OAuth2 client.