CAS 3 Ticket Validation Response

CAS 3 Successful Ticket Validation Response (formatted for legibility)[1]:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> [2]
  <cas:authenticationSuccess> [3]
    <cas:user>de3</cas:user> [4]
    <cas:attributes> [5]
      <cas:lastName>Ellentuck</cas:lastName>
      <cas:isFromNewLogin>true</cas:isFromNewLogin>
      <cas:mail>[email protected]</cas:mail>
      <cas:bypassMultifactorAuthentication>false</cas:bypassMultifactorAuthentication>
      <cas:authenticationDate>2020-07-17T13:58:37.159-04:00[US/Eastern]</cas:authenticationDate>
      <cas:authnContextClass>mfa-duo</cas:authnContextClass>
      <cas:givenName>Daniel</cas:givenName>
      <cas:successfulAuthenticationHandlers>JaasAuthenticationHandler</cas:successfulAuthenticationHandlers>
      <cas:successfulAuthenticationHandlers>mfa-duo</cas:successfulAuthenticationHandlers>
      <cas:lastPasswordChangeDate>Mon Dec 30 15:32:53 EST 2019</cas:lastPasswordChangeDate> [6]
      <cas:samlAuthenticationStatementAuthMethod>urn:oasis:names:tc:SAML:1.0:am:password</cas:samlAuthenticationStatementAuthMethod>
      <cas:samlAuthenticationStatementAuthMethod>urn:oasis:names:tc:SAML:1.0:am:unspecified</cas:samlAuthenticationStatementAuthMethod>
      <cas:credentialType>UsernamePasswordCredential</cas:credentialType>
      <cas:credentialType>DuoCredential</cas:credentialType>
      <cas:affiliation>OAUTH_auth-columbia</cas:affiliation> [7]
      <cas:affiliation>CUNIX_idmserv</cas:affiliation>
      <cas:affiliation>CUNIX_casadmin</cas:affiliation>
      <cas:affiliation>CUNIX_src</cas:affiliation>
      <cas:affiliation>LM_ou_TeamLion</cas:affiliation>
      <cas:affiliation>VPN_Users</cas:affiliation>
      <cas:affiliation>CU_IT</cas:affiliation>
      <cas:affiliation>MFA_all</cas:affiliation>
      <cas:affiliation>PAC</cas:affiliation>
      <cas:affiliation>CUstaff</cas:affiliation>
      <cas:affiliation>AcisLibraryLabUser</cas:affiliation>
      <cas:authenticationMethod>JaasAuthenticationHandler</cas:authenticationMethod>
      <cas:authenticationMethod>mfa-duo</cas:authenticationMethod> [8]
      <cas:eduPersonPrincipalName>[email protected]</cas:eduPersonPrincipalName>
      <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
      <cas:username>de3</cas:username>
    </cas:attributes>
  </cas:authenticationSuccess>
</cas:serviceResponse>

CAS 3 Unsuccessful Ticket Validation Response (formatted for legibility)[1]:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> [2]
  <cas:authenticationFailure code="INVALID_TICKET">
    Ticket 'ST-1402-0RwQL4YfoydrrJwiI80WitPnFiccasdevapp01' not recognized
  </cas:authenticationFailure>
</cas:serviceResponse>

Notes:

1. Available via:

    https://[cas-hostname]/cas/p3/serviceValidate?service=[service-URL]&ticket=[service-ticket]

2. A ticket validation response consists of a <serviceResponse> element which contains either an <authenticationSuccess> element or an <authenticationFailure> element.

    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>

3. The presence of the <authenticationSuccess> element means the user has successfully logged in and contains a <user> element and an <attributes> element.

    <cas:authenticationSuccess>

4. The <user> element contains the UNI:

     <cas:user>de3</cas:user>

5. The multi-valued <attributes> element contains various user and authentication attributes. User attributes are selectively returned to the application and must be specifically requested as part of service registration:

      <cas:attributes>
        <cas:lastName>Ellentuck</cas:lastName>
        [...other attributes...]
        <cas:username>de3</cas:username>
      </cas:attributes>

6. Date of last password change is available in an attribute called "lastPasswordChangeDate":

    <cas:lastPasswordChangeDate>Mon Dec 30 15:32:53 EST 2019</cas:lastPasswordChangeDate>

7. LDAP affiliations are available in a multi-valued attribute called "affiliation." Affiliations are selectively returned to the application and must be specifically requested as part of service registration. The order in which they appear is arbitrary:

    <cas:affiliation>OAUTH_auth-columbia</cas:affiliation>
    <cas:affiliation>CUNIX_idmserv</cas:affiliation>
    <cas:affiliation>CUNIX_casadmin</cas:affiliation>
    <cas:affiliation>CUNIX_src</cas:affiliation>
    <cas:affiliation>LM_ou_TeamLion</cas:affiliation>
    <cas:affiliation>VPN_Users</cas:affiliation>
    <cas:affiliation>CU_IT</cas:affiliation>
    <cas:affiliation>MFA_all</cas:affiliation>
    <cas:affiliation>PAC</cas:affiliation>
    <cas:affiliation>CUstaff</cas:affiliation>
    <cas:affiliation>AcisLibraryLabUser</cas:affiliation>

8. Indicates the user has authenticated with Duo MFA:

    <cas:authenticationMethod>mfa-duo</cas:authenticationMethod>

CAS 3 Ticket Validation Response

Phone

Contact Us