CAS Single Sign On

Implementation Overview

1. Have a CAS server or an application that supports CAS protocols.

2. Give IE a validation endpoint (aka CAS server url / serviceValidate endpoint).

3. Construct up a Learner Login URL to your instance for students to use

• • You'll need a service URL provided by IE and potentially more depending on your circumstances.

Continue for more details...

Resources

• Definition of Terms

Configuring the SP with a CAS serviceValidate URL

1. Have a CAS server up and running

   • Make sure a CAS 2.0 or 3.0 server is setup and available for TI to access.

2. Obtain serviceValidate endpoint for your CAS server.

   • If your CAS server is available at https://casserver.org/, then your CAS serviceValidate endpoint is most likely:

     • https://casserver.org/cas/serviceValidate for CAS 2.0

     • https://casserver.org/cas/p3/serviceValidate for CAS 3.0

3. Add the serviceValidate URL to your SSO settings.

   • If your SSO settings are managed by IE (most common), send this URL to IE and it will be configured for you.

   • If you have access to your SSO settings (less common), add this URL to the field labeled CAS Server Validate URL

     • You can find your SSO settings under Settings > Integrations > SSO or here: https://<product domain>/learn/manager/sso-settings

Configuring the externalCustomerID (cas:user)

• This is the unique ID that will identify CAS users coming from the IdP (identity provider) via the cas:user in the ticket validation response. If a user already exists with this identifier, their information will be updated with the attributes passed from.

Requirements

• Must be unique across the instance: This value must be unique across all learners of every client in an instance. This means that if you share an instance with other clients (almost everyone), then your ID must not clash with other client's learners. Some good options include:

  • Email Addresses

  • Appending the school domain name to a name or ID

  • Or utilizing an ID random enough to sufficiently collision resistant

Recommendations

• Use an ID that doesn't change: Since this value used to sync learner to their accounts or create a new account if one doesn't exist for a learner, it's recommended that this value be from a source that doesn't change. If the value does change, then the learner will receive a fresh account upon authenticating and will lose all previous progress.

  • Email Address will suffice : Sending an email as the NameId can cause the problem mentioned above when a learner's email changes due to a name change. That said, email addresses are used by many clients without much headache. Though it isn't the "perfect" option, we considered it "good enough".

  • Unique IDs are a better option: If available, an ID with sufficient randomness to be collision resistant, or appending a domain or school name to less random ID, has the benefits of being both unique and unchanging.

CAS Attributes

External Customer ID

• TI uses the cas:user in the ticket validation response to uniquely identify the user. If a user already exists with this identifier, their information will be updated.

Other Attributes

• Additionally, TI recognizes the following CAS 3.0 attributes. These attributes names are customizable. Let IE know if you'd like these to be different from the following.

  • cas:firstname - First name of the user being signed in.

  • cas:lastname - Last name of the user being signed in.

  • cas:email - Email address of the user being signed in.

  • If first name, last name, and/or email were not provided in the CAS response, the student will be directed to a screen asking for that additional information. After filling in the fields and clicking submit, the student will then be directed to your specified returnTo URL, or the student dashboard if no URL was provided.

• Optionally, 3 more attributes may be added to include in reporting, etc.

  • ref1

  • ref2

  • ref3

Example

• The following is a complete example of a successful CAS ticket validation including all optional attributes:

<?xml version="1.0" encoding="UTF-8"?>

<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">

<cas:authenticationSuccess>

<cas:user>test</cas:user>

<cas:attributes>

<cas:firstname>bob</cas:firstname>

<cas:lastname>jones</cas:lastname>

<cas:email>bobjones@example.org</cas:email>

</cas:attributes>

</cas:authenticationSuccess>

</cas:serviceResponse>

Building a Login URL

Overview

Direct your users to login to your CAS server with the "service" parameter set to the URI-encoded TI CAS endpoint.

• https://<CAS Server Domain>/login?service=<URI Encoded Service URL>

This is done in 3 steps:

1. Constructing the Service URL

1. Start with the Base URL: Start by constructing the base of the URL depending on which IE product you're configuring for

   • Combine the https protocol, IE product domain, and cas access path

     • https://<IE Product Domain>/access/cas

     • Example: https://www.studentlingo.com/access/cas

2. Add License ID: Next, you'll need to specify a license ID to connect the incoming student with your Client in our system. If you own your own instance, you can skip this step (uncommon).

   • Obtain your client's license ID from IE.

     • If you've been granted admin privileges (uncommon), you will see a license ID when you click "Edit" on any sublicense. If you are not using sublicense functionality, you will see a license ID on the "Master License" tab. Only one license can be specified. Treat this license ID as a secret, similar to a password.

   • Add licenseId query parameter and value to Base Service URL (params are case sensitive):

     • https://<IE product domain>/access/cas?licenseId=<License ID>

     • Example: https://www.studentlingo.com/access/cas?licenseId=5090b9e3-5542-4050-b863-8429fc03ad5b

3. Add Redirects: You can optionally specify a URL of a page to redirect the user to after successful authentication.

   • TI validates the ticket on your CAS server and then grants the user access and directs them to the specified returnTo URL, or the student dashboard if no URL was provided.

   • Add returnTo query parameter and value to URL (params are case sensitive):

     • https://<IE product domain>/access/cas?licenseId=<License ID>&returnTo=<Return to URL>

     • Example redirecting to the course catalog: https://www.studentlingo.com/access/cas?licenseId=5090b9e3-5542-4050-b863-8429fc03ad5b&returnTo=https://www.studentlingo.org/catalog

   • Both a returnTo and a licenseId can be specified within the same request

2. URI Encode the Service URL

Once you have a complete Service URL, it must be URI encoded before it can be added to the CAS login URL. This will ensure structural integrity during URL parsing.

• • If the URL is:

    • https://www.studentlingo.com/access/cas?licenseId=5090b9e3-5542-4050-b863-8429fc03ad5b

  • Then URI encoded it looks like:

    • https%3A%2F%2Fwww.studentlingo.com%2Faccess%2Fcas%3FlicenseId%3D5090b9e3-5542-4050-b863-8429fc03ad5b

3. Add to CAS Login URL via Service Parameter

Lastly, add the URI encoded Service URL to your CAS Login URL as a Service Parameter

• • https://<CAS Server Domain>/login?service=<URI Encoded Service URL>

  • Example: https://www.casserver.org/login?service=https%3A%2F%2Fwww.studentlingo.com%2Faccess%2Fcas%3FlicenseId%3D5090b9e3-5542-4050-b863-8429fc03ad5b

Misc. Configuration Notes