Simple SSO - using custom authentication - CAS or some Oauth or openid server?

Question

I\'d like to know more about the different ways of solving Single Sign-On and their pros and cons. Have you worked with one particular solution, tell me what\

Answer 1

I can answers some of the question regarding CAS as I have used them before. I've no experience with OAuth and therefore wont comment on it.

First of all, I don't understand the need for token verifications of CAS, what is it good for?

CAS is used for SSO purposes. Its used when you have multiple applications(desktop apps/webapps on different TLD) that want to do authentication from a single source.

Is it more secure? I note that it's redirect based and hence equally subject to man-in-the-middle attack, just as a "custom" auth server without the extra token verification step would. Is it something to the security in CAS that I'm missing?

Authentication servers uses SSL to prevent MitM attacks. But I don't see how this a problem specific with SSO/CAS since you would have the same problem even if the app is doing its own authentication. Maybe you can tell us what kind of MitM attacks are you worried about with the CAS setup

Is the purpose of the tokens to provide single sign-out and/or timeout? (We don't want it, our users would hate us.) I've been looking into CAS, as there are some awesome Ruby implementations, but I'm not sure it's what we need.

The tokens are just a way for the application to authenticate you without having your password. They are short lifespan/single used token that is associated to your user credentials. The application provide the token to the CAS server and the CAS server reply with a credential, if any is associated with it. Single signout and timeout is possible to implement but not directly tied to having the tokens.

I hope this is clear. I tried to make it a high level explanation. Feel free to ask for specifics if theres any part that is not clear or you want more specifics about.

EDIT: I found a better put simple explanation of how CAS works at http://www.jasig.org/cas/proxy-authentication (The rest of the page talks about proxied authentication. Which is more complex but the first few paragraph is the simple case we are talking about here )

I go to my Portal instance. It redirects me to CAS to login. CAS detects my secure cookie and does the Single Sign On whereby I don't have to give my username and password again. CAS redirects me back to the portal. The portal validates the ticket, logs me into the Portal I see my default layout populated with some cool channels telling me it's really cold outside and what's in the news.

Notice that the portal didn't get my password.