Single Sign-On |
|
|
|
|
Single Sign-On |
|
|
|
Single Sign-On |
|
|
|
|
Single Sign-On |
|
|
|
|
|
||
Astra Schedule supports single sign-on (SSO) using Central Authentication Service (CAS). The following information will help in setting up Astra Schedule SSO.
NOTE: The CAS server can be downloaded from https://www.apereo.org/projects/cas/download-cas.
There are two required and two optional Astra Schedule system settings, shown below, that are available for configuring single sign-on.
The following two system settings must be added to the Astra Schedule System Settings table. (See System Settings for more information on how to configure these settings)
You will need to update the value of the VALUE field to point to the CAS server.
•security.sso.option
Disabled, CAS, CWL (case insensitive). If this setting does not exist, it is the same as being set to Disabled.
•security.sso.authenticationURL
Root URL for SSO service. Ex: http://casserver:8080/cas/
Additionally, the following two settings are available to configure logout behavior when SSO is enabled.
•ShowLogoutLink
Set this to false to hide the logout link when SSO is enabled. If this setting does not exist, it defaults to true.
If this option is used, then the user's session will not end until it times out.
•security.sso.logoutURL
Use this setting to specify a URL to which a user will be redirected upon logging out of Astra Schedule.
This will be something like http://casserver:8080/cas-server-webapp-3.5.0/logout?service=http://www.page-to-go-on-logout.htm.
•The /logout tells CAS to end the CAS session.
•The service parameter tells CAS to redirect to the page specified after ending the CAS session.
To use logout redirection in CAS, the CAS server must be configured. The p:followServiceRedirects="true" attribute must be added to the logoutController bean in the cas-servlet.xml file located in the cas-server-webapp-3.5.0\WEB-INF folder under the webapps folder in Apache Tomcat.
If the security.sso.logoutURL is blank or missing, the default behavior for CAS will be to redirect the user to the CAS login page after they log out of Astra Schedule.
NOTE: You will need to recycle the application pool in IIS after system settings are configured in order for them to take effect.
The portal can link to any Astra Schedule page. It just needs to append the user’s ticket to the URL in the parameter named “ticket”.
Examples:
Link to Astra Schedule user’s portal page
http://astrawebserver/astraschedule/portal/default.aspx?ticket=798798SDF89009SDFSDF2JKI9F
Link to the Academics Main Page
http://astrawebserver/astraschedule/academics/default.aspx?ticket=798798SDF89009SDFSDF2JKI9F
Link to the Event List Page
http://astrawebserver/astraschedule/events/eventlist.aspx?ticket=798798SDF89009SDFSDF2JKI9F
The following URLs would be used by Astra Schedule to interface with CAS:
(CAS_ticket is replaced with the ticket passed to Astra Schedule, and ReturnURL is replaced with the Astra Schedule URL accessed by the user)
Validate Ticket Passed to Astra Schedule
http://casserver:8080/cas/serviceValidate?ticket=CAS_ticket&service=ReturnURL
CAS Login – if user attempt to access Astra Schedule without a CAS ticket
http://casserver:8080/cas/login?service=ReturnURL
Guests and Invalid Logins
If the user is authenticated by CAS but does not exist in Astra Schedule, the user is allowed to access Astra Schedule as a guest user.
If the ticket passed to Astra Schedule is not valid, the user is directed to the Astra Schedule login page.
Bypass Single Sign-On
To bypass the single sign-on mechanism for sites that are configured for SSO, the user may use the URL for the login page with the nosso URL parameter. This may be useful if there are internal users that do not use SSO. Because of this feature, it is important to assign a strong password when creating users.
Ex: http://astrawebserver/Logon.aspx?nosso=
Trusted Certificates and SSL
You may need to update the trusted certificate authorities if you are using SSL to communicate between Astra Schedule and CAS and are using a certificate that was not issued by one of the major certificate issuers (VeriSign, Thawte, GlobalSign, etc). You can update the trusted certificate authorities on the web server using the Certificates snap in. This should allow you to resolve any issues with HTTPS. See http://msdn.microsoft.com/en-us/library/ms788967.aspx for instructions for accessing the Certificates snap in.
