Our technical documentation is moving
1. Have a CAS server or an application that supports CAS protocols.
2. Give IE a validation endpoint (aka CAS server url / serviceValidate endpoint).
3. Construct up a Learner Login URL to your instance for students to use
You'll need a service URL provided by IE and potentially more depending on your circumstances.
Continue for more details...
Have a CAS server up and running
Make sure a CAS 2.0 or 3.0 server is setup and available for TI to access.
Obtain serviceValidate endpoint for your CAS server.
If your CAS server is available at https://casserver.org/, then your CAS serviceValidate endpoint is most likely:
https://casserver.org/cas/serviceValidate for CAS 2.0
https://casserver.org/cas/p3/serviceValidate for CAS 3.0
Add the serviceValidate URL to your SSO settings.
If your SSO settings are managed by IE (most common), send this URL to IE and it will be configured for you.
If you have access to your SSO settings (less common), add this URL to the field labeled CAS Server Validate URL
You can find your SSO settings under Settings > Integrations > SSO or here: https://<product domain>/learn/manager/sso-settings
This is the unique ID that will identify CAS users coming from the IdP (identity provider) via the cas:user in the ticket validation response. If a user already exists with this identifier, their information will be updated with the attributes passed from.
Requirements
Must be unique across the instance: This value must be unique across all learners of every client in an instance. This means that if you share an instance with other clients (almost everyone), then your ID must not clash with other client's learners. Some good options include:
Email Addresses
Appending the school domain name to a name or ID
Or utilizing an ID random enough to sufficiently collision resistant
Recommendations
Use an ID that doesn't change: Since this value used to sync learner to their accounts or create a new account if one doesn't exist for a learner, it's recommended that this value be from a source that doesn't change. If the value does change, then the learner will receive a fresh account upon authenticating and will lose all previous progress.
Email Address will suffice : Sending an email as the NameId can cause the problem mentioned above when a learner's email changes due to a name change. That said, email addresses are used by many clients without much headache. Though it isn't the "perfect" option, we considered it "good enough".
Unique IDs are a better option: If available, an ID with sufficient randomness to be collision resistant, or appending a domain or school name to less random ID, has the benefits of being both unique and unchanging.
TI uses the cas:user in the ticket validation response to uniquely identify the user. If a user already exists with this identifier, their information will be updated.
Additionally, TI recognizes the following CAS 3.0 attributes. These attributes names are customizable. Let IE know if you'd like these to be different from the following.
cas:firstname - First name of the user being signed in.
cas:lastname - Last name of the user being signed in.
cas:email - Email address of the user being signed in.
If first name, last name, and/or email were not provided in the CAS response, the student will be directed to a screen asking for that additional information. After filling in the fields and clicking submit, the student will then be directed to your specified returnTo URL, or the student dashboard if no URL was provided.
Optionally, 3 more attributes may be added to include in reporting, etc.
ref1
ref2
ref3
The following is a complete example of a successful CAS ticket validation including all optional attributes:
<?xml version="1.0" encoding="UTF-8"?>
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>test</cas:user>
<cas:attributes>
<cas:firstname>bob</cas:firstname>
<cas:lastname>jones</cas:lastname>
<cas:email>bobjones@example.org</cas:email>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
Direct your users to login to your CAS server with the "service" parameter set to the URI-encoded TI CAS endpoint.
https://<CAS Server Domain>/login?service=<URI Encoded Service URL>
This is done in 3 steps:
Start with the Base URL: Start by constructing the base of the URL depending on which IE product you're configuring for
Combine the https protocol, IE product domain, and cas access path
https://<IE Product Domain>/access/cas
Add License ID: Next, you'll need to specify a license ID to connect the incoming student with your Client in our system. If you own your own instance, you can skip this step (uncommon).
Obtain your client's license ID from IE.
If you've been granted admin privileges (uncommon), you will see a license ID when you click "Edit" on any sublicense. If you are not using sublicense functionality, you will see a license ID on the "Master License" tab. Only one license can be specified. Treat this license ID as a secret, similar to a password.
Add licenseId query parameter and value to Base Service URL (params are case sensitive):
https://<IE product domain>/access/cas?licenseId=<License ID>
Example: https://www.studentlingo.com/access/cas?licenseId=5090b9e3-5542-4050-b863-8429fc03ad5b
Add Redirects: You can optionally specify a URL of a page to redirect the user to after successful authentication.
TI validates the ticket on your CAS server and then grants the user access and directs them to the specified returnTo URL, or the student dashboard if no URL was provided.
Add returnTo query parameter and value to URL (params are case sensitive):
https://<IE product domain>/access/cas?licenseId=<License ID>&returnTo=<Return to URL>
Example redirecting to the course catalog: https://www.studentlingo.com/access/cas?licenseId=5090b9e3-5542-4050-b863-8429fc03ad5b&returnTo=https://www.studentlingo.org/catalog
Both a returnTo and a licenseId can be specified within the same request
Once you have a complete Service URL, it must be URI encoded before it can be added to the CAS login URL. This will ensure structural integrity during URL parsing.
If the URL is:
https://www.studentlingo.com/access/cas?licenseId=5090b9e3-5542-4050-b863-8429fc03ad5b
Then URI encoded it looks like:
https%3A%2F%2Fwww.studentlingo.com%2Faccess%2Fcas%3FlicenseId%3D5090b9e3-5542-4050-b863-8429fc03ad5b
Lastly, add the URI encoded Service URL to your CAS Login URL as a Service Parameter
https://<CAS Server Domain>/login?service=<URI Encoded Service URL>
Example: https://www.casserver.org/login?service=https%3A%2F%2Fwww.studentlingo.com%2Faccess%2Fcas%3FlicenseId%3D5090b9e3-5542-4050-b863-8429fc03ad5b
In WSO2 the cas:user is controlled by this field (Subject Claim URI)