Application integration in a web environment could require several instances of authentication, which sometimes can lead to annoying gaffes and mix-ups. Fortunately, the Single Sign On method will help us achieve the unified authentication of these users in a very simple and straightforward way. Let’s see how to implement it in Thinfinity® Remote Desktop.
What is CAS?
Central Authentication Service (“CAS”) is an authentication protocol, originally written at Yale University, created to provide a trusted Single Sign On (SSO) method for a web application to validate a user. Its purpose is to permit a user to access multiple applications while providing their credentials (such as user name, password, etc.) just a single time. Once the user is authenticated by an SSO, he/she doesn’t need to render his/her security credentials again.
The CASAuth demo
The CASAuth demo, which gets distributed in the product installation, is a simple example you can use to test your CAS authentication environment with Thinfinity® Remote Desktop. You can easily locate it from a shortcut in the Start menu, inside Thinfinity/Remote Desktop Server/Thinfinity Remote Desktop Server Demos. There are some simple but important things you should note along the way, so make sure to follow each step carefully. Let’s start!
In login.aspx.cs you have to replace the CASHOST with the URL of your CAS server. In a testing environment, for example, this might be:
private const string CASHOST = "https://localhost:8081/cas-server-webapp-4.0.0/";
Make sure you are using a valid certificate so ASP.NET doesn’t reject it. If you don’t have a valid certificate, you can replace the certificate validation function with the following code:
bool MyServerCertificateValidationCallback(object sender,
X509Certificate certificate, X509Chain chain,
and then assign this function to the ServicePointManager.ServerCertificateValidationCallback:
ServicePointManager.ServerCertificateValidationCallback = MyServerCertificateValidationCallback;
If everything went as planned, these changes would ensure your CAS server is reached and, in case you are not already logged in, you would be redirected to this server to validate the user.
We now need to make some changes in the Default.aspx.cs page. At this point you have to replace the value of APIKey variable with the appropriate one from your environment. This variable is in the server ini configuration file. (Note: for information on how to find it please refer to: http://www.cybelesoft.com/helps/thinfinity/remote-desktop/server/apikey.html).
Also, you will notice that the dhc.Init method is being called. You have to replace the value passed to this function with the URL needed to reach your Thinfinity Remote Desktop server. Be careful! You need to make this change in the Default.aspx page too:
replacing http://localhost:8443 with the actual URL of your Thinfinity Remote Desktop Server.
Finally, there is a very important setting in this example that needs to be addressed. In Thinfinity Remote Desktop users can get access by using some methods related with the Single Sign On (SSO) feature. Currently, two SSO methods are implemented: Google’s OAuth authentication and Radius authentication. An alternative option is to authenticate directly through Active Directory or using the Windows user authentication.
One of the last lines in Default.aspx.cs states
encQuery = HttpUtility.UrlEncode(dhc.EncodeStr("_userid=" + Userid + "&_apikey=" + APIKey + "&_ssologin=1"));
On that line you have a very important setting: _ssologin. The use cases for this parameter are:
||The authentication acts as a Google’s Oauth authentication and the Oauth mapping will be used to correctly identify the user.
||The authentication acts as a Radius authentication and the Radius mapping will be used to correctly identify the user.
||If you remove the _ssologin from the string encoding process, the Active Directory or Windows authentication will be used.
(More info at http://www.cybelesoft.com/helps/thinfinity/remote-desktop/server/single-sign-on.html)
With all these settings correctly established, you will be able to use CAS as the authentication method for your Thinfinity Remote Desktop-enabled solution.