Implementing Single Sign-On authentication: How to use CAS with Thinfinity® Remote Desktop

Security

security-padlockApplication integration in a web environment could require several instances of authentication, which sometimes can lead to annoying gaffes and mix-ups. Fortunately, the Single Sign-On authentication method will help us achieve the unified authentication of these users in a very simple and straightforward way. Let’s see how to implement it in Thinfinity® Remote Desktop.

What is CAS?

Central Authentication Service (“CAS”) is an authentication protocol, originally written at Yale University, created to provide a trusted Single Sign On (SSO) method for a web application to validate a user. Its purpose is to permit a user to access multiple applications while providing their credentials (such as user name, password, etc.) just a single time. Once the user is authenticated by an SSO, he/she doesn’t need to render his/her security credentials again.

The CASAuth demo

The CASAuth demo, which gets distributed in the product installation, is a simple example you can use to test your CAS authentication environment with Thinfinity® Remote Desktop. You can easily locate it from a shortcut in the Start menu, inside Thinfinity/Remote Desktop Server/Thinfinity Remote Desktop Server Demos. There are some simple but important things you should note along the way, so make sure to follow each step carefully. Let’s start!

In login.aspx.cs you have to replace the CASHOST with the URL of your CAS server. In a testing environment, for example, this might be:

 private const string CASHOST = "https://localhost:8081/cas-server-webapp-4.0.0/";

Make sure you are using a valid certificate so ASP.NET doesn’t reject it. If you don’t have a valid certificate, you can replace the certificate validation function with the following code:

 bool MyServerCertificateValidationCallback(object sender,
      X509Certificate certificate, X509Chain chain,
      System.Net.Security.SslPolicyErrors sslPolicyErrors)
 {
      return true;
 }

and then assign this function to the ServicePointManager.ServerCertificateValidationCallback:

 ServicePointManager.ServerCertificateValidationCallback = MyServerCertificateValidationCallback;

If everything went as planned, these changes would ensure your CAS server is reached and, in case you are not already logged in, you would be redirected to this server to validate the user.
We now need to make some changes in the Default.aspx.cs page. At this point you have to replace the value of APIKey variable with the appropriate one from your environment. This variable is in the server ini configuration file. (Note: for information on how to find it please refer to: Documentation APIkey).

Also, you will notice that the dhc.Init method is being called. You have to replace the value passed to this function with the URL needed to reach your Thinfinity Remote Desktop server. Be careful! You need to make this change in the Default.aspx page too:

replacing http://localhost:8443 with the actual URL of your Thinfinity Remote Desktop server.

Finally, an essential setting in this example needs to be addressed. In Thinfinity Remote Desktop users can get access using some methods related to the Single Sign-On authentication (SSO) feature. Currently, two SSO methods are implemented: Google’s OAuth authentication and Radius authentication. An alternative option is to authenticate directly through Active Directory or using Windows user authentication.
One of the last lines in Default.aspx.cs states:

encQuery = HttpUtility.UrlEncode(dhc.EncodeStr("_userid=" + Userid + "&_apikey=" + APIKey + "&_ssologin=1"));

On that line you have a very important setting: _ssologin. The use cases for this parameter are:

_ssologin=1 The authentication acts as Google’s OAuth authentication and the Oauth mapping will be used to correctly identify the user.
_ssologin=2 The authentication acts as a Radius authentication and the Radius mapping will be used to correctly identify the user.
Not present If you remove the _ssologin from the string encoding process, the Active Directory or Windows authentication will be used.

(More info at Documentation: Single Sign On).

With all these settings correctly established, you will be able to use CAS as the authentication method for your Thinfinity Remote Desktop-enabled solution.

Quick Tip: Learn how to review remote access logs to monitor your users connections to the server.

Have any questions? Contact us at [email protected] or leave a message on this same post.

 

Thinfinity Solutions for remote desktop, screen sharing, digital workspace and application virtualization.

Thinfinity Solutions

As you already know, Thinfinity Remote Desktop provides remote access, desktop delivery, and app publishing solutions.

Explore our other remoting and web-enabling solutions, enjoy our free trials, or request a custom demo HERE. No commitment!

We will be happy to assist you and show you our portfolio for remote desktop, screen sharing, digital workspace, and application virtualization.

Leave a comment

Privacy Preferences
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.