Industry standard protocols are the reason that Single Sign-On (SSO) is a popular topic throughout the tech industry. SSO reduces login prompts for end-users while improving both usability and productivity. Without the use of industry-standard protocols, this entire process would be much more difficult to implement and manage. However, it can often be difficult to decide which protocol to utilize within your environment. Security Assertion Markup Language (SAML) and Central Authentication Service (CAS) are common names on the list of top protocols, but how do you choose which is right for you?
Knowing What’s Available – Do You Have a Choice?
The first question that you need to ask is this: What options are available? Not all applications support every industry standard protocol. Knowing which option is supported by your application will take the guesswork out of the process.
From there, the deciding factor turns to the Identity Provider (IdP). Much like each individual application, each IdP is going to be different in terms of which Protocols are supported. For example, the PortalGuard IdP supports a wide range of Industry Standard protocols. Other IdPs such as Shibboleth or ADFS have a much more limited scope.
If both the application and the IdP support multiple industry standard protocols, you have the flexibility to choose from the available options. At this point, it comes down primarily to preference. In that case, however, we can provide some insight into which option will better serve your organization in the long run.
The Modern Industry Standard Protocol
CAS and SAML have their own unique benefits. SAML SSO, however, is the clear winner in terms of a more ‘Modern’ Industry Standard Protocol. SAML makes use of digital signatures to ensure security throughout the entire process and simplifies the integration for a more streamlined, easier to troubleshoot experience.
CAS, on the other hand, utilizes an additional server-to-server communication method that many organizations prefer to the HTTP-based SAML protocol. During CAS SSO, the application server and the IdP communicate directly to ensure the validity of the request. This step tends to be where most troubleshooting occurs, however, as server-to-server communication is prone to its own pitfalls. Ensuring secure communication as well as the timing of the request is often the most common difficulty with CAS authentication.
Furthermore, the simple act of configuring each protocol varies wildly when comparing SAML to CAS. With SAML SSO, the IdP and the application (commonly referred to as the Service Provider or SP) exchange metadata to ensure the data on both ends matches what the other expects. This allows for much simpler configuration, as both sides of the SSO process provide an ‘outline’ for what is required. The CAS SSO protocol does NOT make use of metadata, requiring manual configuration and manipulation on both the application and the IdP side of things. While not entirely difficult, this process is more involved and introduces more potential problem points that could break the integration if not handled correctly.
Our Recommendation – Work Smarter, Not Harder
End-to-end, SAML SSO is the clear winner for which industry standard protocol to utilize when given the choice. The overall configuration process is much more straightforward and reliable, allowing administrators to proceed with more pressing work instead of troubleshooting every minor step along the way.
When it is the only option available, CAS SSO is a strong industry standard protocol for providing a secure option to end-users. In the long run, however, more apps will be supporting SAML SSO for the streamlined, secure, and simplified integration capabilities.
With an IdP like PortalGuard, you may not have to choose between SAML or CAS, but it’s always recommended to make your life simpler when you can. After all, you’ve got more important work to do!