Security

Implementing Single Sign-On authentication: How to use CAS with Thinfinity® Remote Desktop

Implementing Single Sign-On authentication: How to use CAS with Thinfinity® Remote Desktop

Introduction

Application integration in a web environment could require several instances of authentication, which sometimes can lead to annoying gaffes and mix-ups. Fortunately, the Single Sign-On authentication method will help us achieve the unified authentication of these users in a very simple and straightforward way. Let’s see how to implement it in Thinfinity® Remote Desktop.

What is CAS?

Central Authentication Service (“CAS”) is an authentication protocol, originally written at Yale University, created to provide a trusted Single Sign On (SSO) method for a web application to validate a user. Its purpose is to permit a user to access multiple applications while providing their credentials (such as user name, password, etc.) just a single time. Once the user is authenticated by an SSO, he/she doesn’t need to render his/her security credentials again.

The CASAuth demo

The CASAuth demo, which gets distributed in the product installation, is a simple example you can use to test your CAS authentication environment with Thinfinity® Remote Desktop. You can easily locate it from a shortcut in the Start menu, inside Thinfinity/Remote Desktop Server/Thinfinity Remote Desktop Server Demos. There are some simple but important things you should note along the way, so make sure to follow each step carefully. Let’s start!

In login.aspx.cs you have to replace the CASHOST with the URL of your CAS server. In a testing environment, for example, this might be:

 private const string CASHOST = "https://localhost:8081/cas-server-webapp-4.0.0/";

Make sure you are using a valid certificate so ASP.NET doesn’t reject it. If you don’t have a valid certificate, you can replace the certificate validation function with the following code:

 bool MyServerCertificateValidationCallback(object sender,
      X509Certificate certificate, X509Chain chain,
      System.Net.Security.SslPolicyErrors sslPolicyErrors)
 {
      return true;
 }

and then assign this function to the ServicePointManager.ServerCertificateValidationCallback:

 ServicePointManager.ServerCertificateValidationCallback = MyServerCertificateValidationCallback;

If everything went as planned, these changes would ensure your CAS server is reached and, in case you are not already logged in, you would be redirected to this server to validate the user.
We now need to make some changes in the Default.aspx.cs page. At this point you have to replace the value of APIKey variable with the appropriate one from your environment. This variable is in the server ini configuration file. (Note: for information on how to find it please refer to: Documentation APIkey).

Also, you will notice that the dhc.Init method is being called. You have to replace the value passed to this function with the URL needed to reach your Thinfinity Remote Desktop server. Be careful! You need to make this change in the Default.aspx page too:

replacing http://localhost:8443 with the actual URL of your Thinfinity Remote Desktop server.

Finally, an essential setting in this example needs to be addressed. In Thinfinity Remote Desktop users can get access using some methods related to the Single Sign-On authentication (SSO) feature. Currently, two SSO methods are implemented: Google’s OAuth authentication and Radius authentication. An alternative option is to authenticate directly through Active Directory or using Windows user authentication.
One of the last lines in Default.aspx.cs states:

encQuery = HttpUtility.UrlEncode(dhc.EncodeStr("_userid=" + Userid + "&_apikey=" + APIKey + "&_ssologin=1"));

On that line you have a very important setting: _ssologin. The use cases for this parameter are:

 

_ssologin=1The authentication acts as Google’s OAuth authentication and the Oauth mapping will be used to correctly identify the user.
_ssologin=2The authentication acts as a Radius authentication and the Radius mapping will be used to correctly identify the user.
Not presentIf you remove the _ssologin from the string encoding process, the Active Directory or Windows authentication will be used.

 

(More info at Documentation: Single Sign On).

With all these settings correctly established, you will be able to use CAS as the authentication method for your Thinfinity Remote Desktop-enabled solution.

Quick Tip: Learn how to review remote access logs to monitor your users connections to the server.

 

Have any questions?

Book a call today to learn more about how Thinfinity® can help your organization. We are always available to guide you and provide the best solution based on your specific needs.

Add Comment

Thinfinity_logo

Get a Demo

Experience how Universal ZTNA with Thinfinity® integrates with VDI and DaaS for unmatched security and flexibility.

Blogs you might be interested in

<span>Authentication</span>, <span>CAS</span>, <span>IT Security</span>, <span>RBAC</span>, <span>Secure Access</span>, <span>Single Sign-On (SSO)</span>, <span>Thinfinity Workspace</span>