Apereo CAS - Unique SSO per User

Posted by Misagh Moayyed on May 20, 2020 · 2 mins read

While consulting on a CAS deployment, ran across an interesting question that I think deserves its own post:

I want allow only one session per each account. If any one trying to login with same credentials and earlier session is still not destroyed then system should prevent the user from logging in.

Since the days of CAS 5.2.x, CAS has had an authentication policy named as Unique Principal, whose appetite can only be satisfied if and only if the requesting user has not already authenticated with CAS. Otherwise the authentication event is blocked, preventing multiple logins.

Let’s explore this policy a little bit more, given the following starting position:

Authentication Policy Configuration

Turning on the policy is in fact quite easy, by including the following setting in the cas.properties file:

cas.authn.policy.unique-principal.enabled=true

This will activate the authentication policy but it does come at a cost; To do its job, CAS needs to query the ticket registry and all tickets present to determine whether the current user has established a authentication session anywhere. It examines the content of the ticket registry looking for ticket-granting tickets that may belong to the same user, and if it finds more than one, it will block the authentication attempt. This will surely add a performance burden to the deployment as querying the registry to examine available tickets is not a lighthearted operation.

So…

I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please know that all other use cases, scenarios, features, and theories certainly are possible as well. Feel free to engage and contribute as best as you can.

Happy Coding,

Misagh Moayyed