Central Authentication Service (CAS) is the most common centralized web authentication Single Sign On (SSO) protocol for intra-organization authentication.
SunGardHE Luminis 5 supports CAS, simplifying Luminis to Learn SSO.
When creating a CAS type provider, the Provider Settings Link Text and icon appear in the Sign In Using section of the login page.
To learn about creating authentication providers, see Creating Authentication Providers.
All Authentication Providers, other than the special Legacy Authentication Provider, have a group of common settings that you can customize.
- Name (Required): Type a provider name that easily distinguishes one provider from another.
- Description (Optional): Type a description that easily distinguishes one provider from another, in particular when creating providers of the same type or when providers will be mapped to specific host names.
- Authentication Provider Availability (Active/Inactive): When creating a new provider, keep the provider as Inactive until configuration and testing is completed.
- User Lookup Method (Username/Batch Uid): Use to select the logon name field mapping. If your provider's logon name does not map to the Learn username, you can propagate the logon name to the Batch_Uid field using the Data Integration framework or Snapshot.
- Restrict by host name: Use this option to map a provider to one or more host names. Select either Use this provider for any hostnames or Restrict this provider only to the specified hostname.
- Restricted Hostnames: Type one or more host names in the text box, with one host name per line.
Understanding the behavior and reasoning behind logout options
The CAS logout options impact user behavior in a manner which may appear outside the intention of Single Sign On (SSO).
Specifically Require Credentials is set to Yes when Global Logout is set to No. While this may seem outside the convenience and scope of SSO, Learn CAS is implemented in this manner for security purposes.
When Global Logout is set to Off, logging out of Learn only destroys the Learn session and leaves the browser with a valid CAS ticket for the currently authenticated user. Should the user then leave the computer with the browser open (thus leaving the CAS ticket active), the next person using the computer will have access to the originally authenticated user's accounts. Thus Require Credentials secures the Learn account from accidental access by an otherwise unauthorized user by forcing re-authentication when reestablishing a Learn session. Please note that this setting does not protect other user services which utilize CAS SSO as the CAS ticket remains intact.
Setting Global Logout to On destroys the Learn session and directs the user to the CAS logout page for logging out of the CAS service. This allows the configuration of Require Credentials, enabling expected SSO behavior of not having to provide credentials for existing CAS ticket holders (Require Credentials = No) or forcing re-credentialing for logon to Learn to meet institutional security policies (Require Credentials = Yes).
These settings provide a functional degree of flexibility while protecting your Learn installation from potential and untraceable abuse due to user misinterpretation of the logout process.
Configure a CAS provider
- Provide your CAS Server URL Prefix, for example, https://cas.example.edu/cas
- Optionally, set the:
- Global Logout as No. The default is Yes. Selecting No indicates that a user should not be redirected to the CAS server's logout page after logging out of Learn, for example, https://cas.example.edu/cas/logout
- Require Credentials as Yes. The default is No. Selecting Yes indicates that the CAS server should always prompt a user for his or her username and password, and allows SSO when a CAS session already exists. If Global Logout is set to No, this is enabled automatically.
- Select Submit to save the configuration.
If the CAS server is using TLS, you need a commercially signed certificate or authentication may fail.