- What is a Central Authentication Service (CAS)?
- What are the features of CAS when compared to CWL Authentication Service (Auth2) and Shibboleth?
- Why is a new authentication product being made available?
- What will happen to Auth2, and to the applications integrated with Auth2, once CAS is available?
- What is the method for deciding which authentication service, CAS or Shibboleth, is the best fit for my web application integration?
- What attributes are available to applications using the CAS authenticaton service?
- Will the look or functionality of the authentication service be any different from and end user perspective?
- Which browsers are recommended for CAS integrations?
- How does an Integration Partner submit a request to move from Auth2 to CAS?
- How does the process for onboarding to CAS work?
- What do I need to do after onboarding to CAS with regard to maintenance or managing the service?
- How do I log out of CAS?
- What is a Central Authentication Service (CAS)?
CAS is an authentication service that allows UBC Web applications to authenticate users with Campus-Wide Login (CWL) accounts and provides users with a Single Sign-On (SSO) experience across UBC services with CAS integrated applications. - What are the features of CAS when compared to CWL Authentication Service (Auth2) and Shibboleth?
Auth2 to CAS or Shibboleth - Feature Comparison Table Feature CWL Authentication Service (Auth2) Central Authentication Service (CAS) Shibboleth Web Authentication X X X Non-Web Authentication - - - Centrally Hosted Login Page X X X Customizable Login Page X Standardized Login Page with limited customizable features Standardized Login Page with limited customizable features Confidentiality of CWL Login Name & Password (Integrated application does not have access to CWL account credentials.) X X X Single Sign-On (SSO) (SSO available between applications integrated to same authentication service; i.e. SSO not available between applications integrated separately on Auth2 and CAS.) X X X Single Log-Out (SLO) N/A (Web session managed on integrated applications only: log-out is on the application level.) Via closing of browser Via closing of browser Transmission of CWL Login Attributes Attributes available via IAM, please refer to: Technical Guide for Integrating with the CWL Authentication Service, Appendix C: List of CWL Authentication Service APIs Six attributes available via IAM: - CWL Login Name
- Employee ID
- First Name (Legal)
- Last Name (Legal
- Student ID
- PUID
Additional attributes available via IAM in future phase:- Gender
- Preferred Name
- Title
Six attributes available via IAM: - CWL Login Name
- Employee ID
- First Name (Legal)
- Last Name (Legal)
- Student ID
- PUID.
Additional attributes available via IAM in future phase:- Gender
- Preferred Name
- Title
Shibboleth affiliations available:- Student
- Faculty
- Staff
- Affiliate (CWL Basic Role)
- Other (CWL Continuing Studies/Prospect/Guest Roles)
Group attributes available:- Group memberships in Grouper
Integration Protocols XML-RPC SAML 1.1 (Recommended) SAML 2.0 Support for Common Programming Languages Java, PHP, .NET Java, PHP, .NET N/A Integration Operating Systems Supported Linux, Windows and Solaris Linux and Windows Linux and Windows Vendor Products' Integration Plug-Ins Customization Required Availability of Vendor Supplied CAS Plug-ins:
https://wiki.jasig.org/display
/CAS/CASifying+ApplicationsShibboleth SP Download: http://shibboleth.net
/downloads/service-
provider/ - Why is a new authentication product being made available?
The CWL Authentication Service (Auth2) was built in-house over ten years ago to authenticate Web-based applications and is reaching product end-of-life. A CWL Security and Governance Review recently completed by UBC's Internal Auditors resulted in recommendations for enhancing security and policy compliance. - What will happen to Auth2, and to the applications integrated with Auth2, once CAS is available?
Auth2 is no longer available for new application integrations. New applications will integrate with CAS or Shibboleth.
Auth2 will continue to be available for authentication to existing integration partners for a scheduled period to allow time for these applications to be migrated to CAS or Shibboleth. UBC plans to sunset Auth2 by December 2013. - What is the method for deciding which authentication service, CAS or Shibboleth, is the best fit for my Web application integration?
All Integration Partners will need to be prepared to answer questions about their application and environment. The answers provided are used by the IAM Team to recommend an appropriate authentication service.
The following table provides some of these key questions for integration partners:
Choosing an Authentication Service - What type of application do you have (Web, Client/Non-Web)?
- If you have a non-Web based or client application, review the IAM Directory Service offerings.
- Shibboleth and CAS only support Web applications.
- Does your application need to be accessible to people from other institutions?
- Only Shibboleth supports federated access.
- Who accesses your application (e.g. faculty, staff, student, visitor, contractor)?
- Who is the Primary Technical Contact? Please include name, department, email address, and phone number.
- What type of application do you have (Web, Client/Non-Web)?
- What attributes are available to applications using the CAS authentication service?
CAS will standardize on using "gold" sources of identity attributes that have been approved by the UBC Identity and Access Management Governance Committee.
IAM systems will deliver and manage the following ten Identity Attributes: First Name (Legal), Last Name (Legal), Employee ID, Student ID, Gender, Title, Preferred Name, CWL login name, CWL Password and PUID.
The IAM systems are the Gold source of data for three identity attributes: CWL login name, CWL Password and PUID.
The other seven attributes will come from the Systems of Record. Gender, Preferred Name and Title attributes will be available in a future phase. - Will the look or functionality of the authentication service be any different from an end user perspective?
The following highlights some of the major changes for the end user:- The login page for the CAS service will appear identical to the Auth2 and Shibboleth service. Users will not see a direct change in authentication functionality.
- Applications that have migrated to CAS will no longer be able to authenticate to applications integrated with Auth2.
- Which browsers are recommended for CAS integrations?
- Microsoft Internet Explorer v9+
- Mozilla Firefox v15+
- Google Chrome v21+
- Apple Safari v5+
- How does an Integration Partner submit a request to move from Auth2 to CAS?
Any stakeholder, or existing Integration Partner interested in migrating to the new CAS should submit a CAS integration request form to the Identity and Access Management Team (select CAS from Service Type list on form). Any Integration Partner interested in becoming an early adopter, please use the same form to make your intentions known. - How does the process for onboarding to CAS work?
Integration partners please review the workflow for integrating an application with CAS here: CAS Integration Steps - What do I need to do after onboarding to CAS with regard to maintenance or managing the service?
The CAS integration adapter will reside on your application at the code level or on your Web server. This is not expected to require regular ongoing maintenance. If any changes are required, the IAM team will contact you.
You MUST contact the IAM team in advance if you plan to migrate your application to another server or change the application's URL. - How do I log out of CAS?
To terminate the session, users must close the browser. As with all Single Sign-On products, to follow security recommendations, users must shut-down their browser sessions when terminating access to a CAS integrated application.
