Basic CAS authentication

Owned by Former user (Deleted)
Last updated: Jun 27, 2005Version comment
2 min read

ENTR:Main Scenario ENTR:Extensions ENTR:Notes ENTR:References ENTR:Associated Modules ENTR:Implementations ENTR:Advice and ExperienceENTR:Contributors

Goal: Support CAS authentication to Sakai
Version: ?
DG Priority: ?
Status: partially implemented
Scope: ?
Preconditions: A deployer has successfully deployed an instance of the Central Authentication Service.
Success end: The deployer configures the Sakai instance to offer "Log in via CAS" as the way users authenticate to Sakai.
Failed end: The deployer is unable to configure Sakai to authenticate users via the Central Authentication Service or has to ask questions on the Sakai or CAS email lists.
Actors: Sakai deployer, SEPP, JA-SIG CAS team.
Primary Actor: Sakai deployer
Trigger: A deployer wishes to use CAS for Single Sign On to Sakai.
Security Concerns: Sakai must properly validate the CAS service tickets. Sakai must properly reject proxy tickets from untrusted proxying entities (or reject all proxy tickets).
Logging: Sakai should log the login of users and record the way in which the user authenticated (awp9 logged in at TIMESTAMP via CAS). Sakai should log ticket validation failure, ideally logging the raw validation failure response / exceptional condition encountered. Sakai should intelligently log SSL / cert problems on ticket validation when encountered.
Performance Concerns: Sakai should not require a redirect to CAS on every request.

Main Success Scenario

Deployer successfully configures Sakai instance such that: End user visits Sakai. Sakai offers a "Log in via CAS" button. User clicks button, authenticates to CAS, CAS redirects back to Sakai. Sakai validates service ticket, establishes user session, context, etc., user is authenticated to and logged into and begins using Sakai.

Extensions

References

See CAS website / JA-SIG

Associated Modules

Implementations

Advice and Experience

AFAIK, Sakai already supports CAS authn. I enter this use case for two purposes: 1) there is potential to go beyond CAS authn to Sakai being merely possible, to make it a productized, polished, feature of the product. Enough schools need to do this that it seems worth producing the polished guide to doing it well.

2) Even if already implemented, this is an important use case to continue to consider as Sakai develops. Enterprise integration with Sakai is important to enabling other integrations.

Contributors

Name <email>

Institution

Notes

Former user (Deleted)

Yale University

initial notes