Configuring CAS for Third Parties

Overview

Central Authentication Service (CAS) is an enterprise Single Sign-On solution for web services. Within William Hill we use CAS to authenticate our customers accessing our sportsbook. However, it's also possible to authenticate users on other areas of the business, external and 3rd party sites. This guide describes how you can integrate with our CAS system, in order to authenticate users. Once a user is authenticated with CAS, it's possible to obtain different types of tickets to communicate with other William Hill services (for example, William Hill APIs). 

The CAS protocol supports issuing proxy tickets. A proxy ticket is a ticket that allows a CAS protected web application (web-app1) to communicate with another CAS protected web application (web-app2) on behalf of a CAS user (note that, you would use a Proxy ticket to communicate with the William Hill APIs).

Note

CAS Proxying must be used for any situation where the client is not communicating directly with our server (for example, a website with a server component).

If the client IS communicating directly with our server (for example, a mobile app without a server side, or an AngularJS application with client side calls) then Sessions API may be used.

Prerequisites

  1. Choose/reserve an endpoint so CAS can call your server. For example: http://www.mydomain.com/callback. This should return an HTTP Status 200 OK.
  2. (Optional) Obtain a CAS client for your platform of choice.
  3. In order to get CAS set up for your solution, provide us with the following information: 
  • Your development machine's public IP address - the machine you use for development and testing
  • Your development server IP address and Callback URL
  • Your production server IP address and Callback URL

     

Procedure

You can either implement the solution manually following the steps below or use a CAS Client to simplify the integration. Each client comes with its own documentation, and essentially performs these steps, so the below guide should still help in configuring an integration.

  1. Redirect to the William Hill CAS Login Page 
    Example URL: https://auth.williamhill-test.com/cas/login?service=https://www.myserver.com/myservice
    Parameter Name Description Example Value
    service The web based service you are restricting access to. CAS will redirect to this service after login https://www.myserver.com/myservice
     

    Note that, CAS will redirect the user to your service URL, and append a parameter to the URL, for example - https://www.myserver.com/myservice?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS   

    Parameter Name Description Example Value
    ticket This is known as a Service Ticket. Service tickets are only valid for 10 seconds and are single-use only. ST-956-Lyg0BdLkgdrBO9W17bXS

     

     

  2. Call CAS again (Server Side) with this ticket to first validate it and then get a Proxy Granting Ticket (PGT).
     
    Example URL: https://auth.williamhill-test.com/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=https://www.myserver.com/myservice&pgtUrl=https://www.myserver.com/callback
    Parameter Name Description Example Value
    ticket This is the  Service Ticket you have already obtained in the previous step.

    ST-956-Lyg0BdLkgdrBO9W17bXS

     

    service The web based service you are restricting access to. CAS will redirect to this service after login https://www.myserver.com/myservice
     
    pgtUrl The callback URL you reserved in the pre-requisites. CAS will make a call to this URL https://www.myserver.com/callback
     

    Once this call is made, you will get back a response containing a PGTIOU; The PGTIOU enables you to find the actual PGT in the next step.

    
    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
        <cas:authenticationSuccess>
            <cas:user>endjs</cas:user>
    <cas:proxyGrantingTicket>PGTIOU-85-8PFx8qipjkWYDbuBbNJ1roVu4yeb9WJIRdngg7fzl523Eti2td</cas:proxyGrantingTicket>
        </cas:authenticationSuccess>
    </cas:serviceResponse>
  3. Get the real PGT - by now the CAS service have made a call to your callback URL, including 2 parameters, one of which is the PGTIOU above, and the other a PGT. You can therefore match up the PGTIOU and extract the PGTID.

     

    Example URL: https://www.myserver.com/callback?pgtIou=PGTIOU-85-8PFx8qipjkWYDbuBbNJ1roVu4yeb9WJIRdngg7fzl523Eti2td&pgtId=PGT-330-CSdUc5fCBz3g8KDDiSgO5osXfLMj9sRDAI0xDLg7jPn8gZaDqS

     

  4. You can now use this ticket against WHAPI, and it should be used anywhere the API requires a ticket. For example, you can validate the session by calling the ValidateSession method on the Sessions API.