Apereo CAS SSO
Agiloft supports single sign-on on the web via integration with Apereo CAS (Central Authentication Server). This allows Agiloft to have integrated authentication with products such as uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle, and others.
From the user's point of view, the typical integrated scenario is simple. First, they log in to a CAS-enabled product such as uPortal. Then, using a hyperlink from within the portal, the user can easily access the Agiloft system. When Single Sign On via CAS is enabled, you can also configure outbound emails so that any hotlinks that they contain use CAS to authenticate the user and access Agiloft.
Technical Overview
For the typical integrated scenario described above, the following occurs:
When the user logs in to the CAS-enabled product, CAS issues a secure token that is usually stored as a cookie.
- When the user presses the hyperlink to access
Agiloft from within the portal,
Agiloft uses a client-side redirect to pass the URL contained within the hyperlink to CAS. Note that this is the same process that occurs if the user selects a CAS-aware hotlink from within an email they received from the
Agiloft system.
If the user is currently logged in to CAS, CAS verifies the token and redirects the user back to the URL within Agiloft. The location of the Agiloft instance is determined automatically at installation time or overridden when the Hotlink Server Root URL global variable is passed to CAS to tell it where to find the Agiloft instance after authentication is performed.
- If the user hasn't logged in to CAS or CAS requires reauthentication, then CAS displays a login form, authenticates the user, and, if successful, performs a client-side redirect back to the URL within Agiloft. As above, the location of the Agiloft instance is determined automatically at installation time or overridden when the Hotlink Server Root URL global variable is passed to CAS to tell it where to find the Agiloft instance after authentication is performed.
- When CAS sends the user back to the original URL, the redirect contains another secure token that confirms that authentication has been performed. After verifying the authenticity of the secure token, Agiloft obtains the username via direct connection to CAS and logs in.
Note that the hyperlink embedded within the CAS-enabled portal follows the usual rules for Agiloft hyperlinks but uses a special entry point/cas-login and has no user and password credentials specified.
Example
<a href="http://example.agiloft.com/gui2/cas-login?keyID=0&project=Demo&state=Main">http://example.agiloft.com/gui2/login.jsp?keyID=&project=Demo&state=Main</a>
The structure of the URL output is: https://AGILOFT_HOST/gui2/cas-login?KB_NAME&state=main
For
Agiloft hyperlinks, see Hyperlinks.
Setup
To configure Single Sign-on with CAS, complete the following steps on a per-KB basis:
Click the Setup gear in the top-right corner and go to System > Manage Global Variables.
Edit the CAS Server Login URL global variable so that it contains the URL where your CAS is located. For example, https://{yourhost}/cas/login.
Confirm that the CAS Ticket Validator global variable contains the correct CAS Server version available in your setup. If it doesn't, edit it so that it does.
If you wish to enable CAS-aware hotlinks in emails, edit the Hotlink Type global variable so that it has a value of CAS.
Embed a correctly formatted hyperlink to Agiloft within your CAS-enabled product.
Force SSO Login
To force users to log in with SSO, you can prevent them from accessing Agiloft with their username and password. Follow the steps below to make the Password field optional in the Employees table and then remove passwords for employees who should log in with SSO. Now, users whose passwords were reset can only log in with SSO. If you also allow some external users to log in with SSO, repeat the process for the External Users table.$global.null
and click Next.