cas

Apereo CAS is a single sign-on server for organizations that want their users to log in once and then access many different applications without being asked to log in again. "Single sign-on" means that a user authenticates in one place, and that credential is trusted across connected services. CAS is the server that sits in the middle and handles that trust.

The project is written in Java and maintained by Apereo, a nonprofit that supports open-source software used in education. It is free to use and has been in active development for many years, with the current stable release line at version 7.3.

CAS supports a wide range of authentication standards. On the protocol side it covers the CAS protocol (versions 1, 2, and 3), SAML (versions 1 and 2), OAuth 2, OpenID Connect, and WS-Federation. On the identity source side it can verify users against LDAP directories, relational databases, certificate-based systems, RADIUS servers, MongoDB, Apache Cassandra, and several others. It can also hand off login to external identity providers such as Google, social login systems, or other SAML and OpenID Connect providers.

Multi-factor authentication is built in, with support for Duo Security, YubiKey, Google Authenticator, and WebAuthn (the standard behind passkeys). High-availability deployments are supported through several clustering options including Redis, MongoDB, Hazelcast, and DynamoDB, so organizations can run CAS across multiple servers without a single point of failure. There is an admin interface for monitoring and configuration, and integrations exist for notification services like Twilio and Amazon SES for sending one-time codes by SMS or email.

The recommended way to deploy it is through a "WAR Overlay" approach, which lets you customize and extend the server without forking the main codebase. Docker container packaging is also supported. Commercial support is available through third parties listed in the project documentation.