What is a Central Authentication Service (CAS)?
CAS is an authentication service that allows UBC Web applications to authenticate users with Campus-Wide Login (CWL) accounts and provides users with a Single Sign-On (SSO) experience across UBC services with CAS integrated applications.
What are the features of CAS when compared to CWL Authentication Service (Auth2) and Shibboleth?
| Auth2 to CAS or Shibboleth - Feature Comparison Table | |||
|---|---|---|---|
| Feature | CWL Authentication Service (Auth2) | Central Authentication Service (CAS) | Shibboleth |
| Web Authentication | X | X | X |
| Non-Web Authentication | - | - | - |
| Centrally Hosted Login Page | X | X | X |
| Customizable Login Page | X | Standardized Login Page with limited customizable features | Standardized Login Page with limited customizable features |
| Confidentiality of CWL Login Name & Password (Integrated application does not have access to CWL account credentials.) | X | X | X |
| Single Sign-On (SSO) (SSO available between applications integrated to same authentication service; i.e. SSO not available between applications integrated separately on Auth2 and CAS.) | X | X | X |
| Single Log-Out (SLO) | N/A (Web session managed on integrated applications only: log-out is on the application level.) | Via closing of browser | Via closing of browser |
| Transmission of CWL Login Attributes | Attributes available via IAM, please refer to: Technical Guide for Integrating with the CWL Authentication Service, Appendix C: List of CWL Authentication Service APIs | Six attributes available via IAM:
| Six attributes available via IAM:
|
| Integration Protocols | XML-RPC | SAML 1.1 (Recommended) | SAML 2.0 |
| Support for Common Programming Languages | Java, PHP, .NET | Java, PHP, .NET | N/A |
| Integration Operating Systems Supported | Linux, Windows and Solaris | Linux and Windows | Linux and Windows |
| Vendor Products' Integration Plug-Ins | Customization Required | Availability of Vendor Supplied CAS Plug-ins: https://wiki.jasig.org/display /CAS/CASifying+Applications | Shibboleth SP Download: http://shibboleth.net /downloads/service- provider/ |
Why is a new authentication product being made available?
The CWL Authentication Service (Auth2) was built in-house over ten years ago to authenticate Web-based applications and is reaching product end-of-life. A CWL Security and Governance Review recently completed by UBC's Internal Auditors resulted in recommendations for enhancing security and policy compliance.
What will happen to Auth2, and to the applications integrated with Auth2, once CAS is available?
Auth2 is no longer available for new application integrations. New applications will integrate with CAS or Shibboleth.
Auth2 will continue to be available for authentication to existing integration partners for a scheduled period to allow time for these applications to be migrated to CAS or Shibboleth. UBC plans to sunset Auth2 by December 2013.
What is the method for deciding which authentication service, CAS or Shibboleth, is the best fit for my Web application integration?
All Integration Partners will need to be prepared to answer questions about their application and environment. The answers provided are used by the IAM Team to recommend an appropriate authentication service.
The following table provides some of these key questions for integration partners:
| Choosing an Authentication Service |
|---|
|
What attributes are available to applications using the CAS authentication service?
CAS will standardize on using "gold" sources of identity attributes that have been approved by the UBC Identity and Access Management Governance Committee.
IAM systems will deliver and manage the following ten Identity Attributes: First Name (Legal), Last Name (Legal), Employee ID, Student ID, Gender, Title, Preferred Name, CWL login name, CWL Password and PUID.
The IAM systems are the Gold source of data for three identity attributes: CWL login name, CWL Password and PUID.
The other seven attributes will come from the Systems of Record. Gender, Preferred Name and Title attributes will be available in a future phase.
Will the look or functionality of the authentication service be any different from an end user perspective?
The following highlights some of the major changes for the end user:
- The login page for the CAS service will appear identical to the Auth2 and Shibboleth service. Users will not see a direct change in authentication functionality.
- Applications that have migrated to CAS will no longer be able to authenticate to applications integrated with Auth2
Which browsers are recommended for CAS integrations?
Microsoft Internet Explorer v9+
- Mozilla Firefox v15+
- Google Chrome v21+
- Apple Safari v5+
How does an Integration Partner submit a request to move from Auth2 to CAS?
Any stakeholder, or existing Integration Partner interested in migrating to the new CAS should submit a CAS integration request form to the Identity and Access Management Team (select CAS from Service Type list on form). Any Integration Partner interested in becoming an early adopter, please use the same form to make your intentions known.
How does the process for onboarding to CAS work?
Integration partners please review the workflow for integrating an application with CAS here: CAS Integration Steps
What do I need to do after onboarding to CAS with regard to maintenance or managing the service?
The CAS integration adapter will reside on your application at the code level or on your Web server. This is not expected to require regular ongoing maintenance. If any changes are required, the IAM team will contact you.
You MUST contact the IAM team in advance if you plan to migrate your application to another server or change the application's URL.
How do I log out of CAS?
To terminate the session, users must close the browser. As with all Single Sign-On products, to follow security recommendations, users must shut-down their browser sessions when terminating access to a CAS integrated application.