Setting Your App Up for SSO

This is a quick and dirty tutorial on how to set up your web application to utilize Eastern SSO.

Under the covers Eastern SSO utilizes jasig’s CAS. It is a proven application that has a very active developer community. Most importantly, CAS has libraries/apis for most major platforms. If you can’t find a library to use, it is easy to write your own interface because the CAS protocol is so simple/straight-f0rward.

So here’s the steps to get connected:

  1. Download an official library (Java, PHP, .NET, Apache) from http://www.jasig.org/cas/client-integration or check the unofficial client list (http://wiki.jasig.org/display/CASC/Unofficial+CAS+Clients)
    Note: Most documentation will refer to this library/your server as the CAS client.
  2. Install the CAS client.
  3. Configure the CAS client (each client uses slightly different syntax, so please adjust the following values accordingly):
    1. Specify the CAS protocol. CAS20 and SAML11 are the two choices. If you only need the authenticated user’s NetID/username, the choose CAS20, otherwise you must use SAML11.
    2. Set the base url for CAS. At EWU, it is https://login.ewu.edu/cas/.
    3. Other tidbits that some clients require:
      1. Login URL: https://login.ewu.edu/cas/login
      2. Validation URL: https://login.ewu.edu/cas/serviceValidate (for CAS20) or https://login.ewu.edu/cas/samlValidate (for SAML11)
  4. Register your application’s URL, if necessary. If your application’s domain name end is “ewu.edu” or starts with “146.187″ and you only need the NetID/username, you can skip this step. Otherwise contact John Gasper (jgasper at ewu edu) to register your application.
  5. Test

CAS will gladly authenticate all 20,000+ students, staff, faculty, and alumni (eventually all users in Banner). Something that developers/application administrators need to keep in mind is that Eastern SSO/CAS does not provide authorization support.  So you will still need to manage who is allowed to access what in your application.

Using the SAML11 protocol, CAS does have the ability to release attribute about the user other than just the username. Currently, it can release Ewuid number, first name, last name, campus email address, campus telephone, and Active Directory group membership. Your application will need to be registered, and you’ll need to justify and obtain approval for the release for some of the attributes.

CAS also supports the concept of an anonymous credential. For example, you have an application that does surveys or some other example where the user would like to be somewhat annonymous. CAS can be configured to not return the authenticated user’s NetID/username, but a “token”. The token will be the same each time they log into the application, but it will not NetID/username. This way the results are pseudo-anonymous, but the application can determine if the user has voted before. If you’d like to test this feature, please let me know.

Finally, a few thoughts… You can generally ignore any information about CAS proxying as your application probably won’t do it. The server(s) your application sits on needs to be able to contact https://login.ewu.edu and validate its SSL cert.

So far, we (the University community) have CAS-ified applications in php, Java, ASP.NET (Forms and MVC), and (Classic) ASP. If you run across any deployment issues or have concerns, please contact me (John Gasper) as I’ve worked through a lot of these issues.

 

John Gasper is powered by WordPress Services at Eastern Washington University.
Please read the EWU Wordpress Policies and Terms of Use. Questions & comments? Contact the EWU Wordpress Team.
The materials hosted by EWU WordPress Services are not endorsed, sponsored, provided by, or on behalf of Eastern Washington University.