supports single sign-on on the web via integration with Apereo CAS (Central Authentication Server). This allows to have integrated authentication with products such as uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle, and others.
From the user's point of view, the typical integrated scenario is simple. First, they log in to a CAS-enabled product such as uPortal. Then, using a hyperlink from within the portal, the user can easily access the system. When Single Sign On via CAS is enabled, you can also configured outbound emails so that any hotlinks that they contain use CAS to authenticate the user and access.
For the typical integrated scenario described above, the following occurs:
When the user logs in to the CAS-enabled product, CAS issues a secure token that is usually stored as a cookie.
If the user is currently logged in to CAS, CAS verifies the token and redirects the user back to the URL within. The location of the instance is determined automatically at installation time or overridden when the Hotlink Server Root URL global variable is passed to CAS to tell it where to find the instance after authentication is performed.
Note that the hyperlink embedded within the CAS-enabled portal follows the usual rules for hyperlinks but uses a special entry point/cas-login and has no user and password credentials specified.
The structure of the URL output is: |
For hyperlinks, see Hyperlinks.
To configure Single Sign-on with CAS, complete the following steps on a per-KB basis:
Click the Setup gear in the top-right corner and go to System > Manage Global Variables.
Edit the CAS Server Login URL global variable so that it contains the URL where your CAS is located. For example, https://{yourhost}/cas/login.
Confirm that the CAS Ticket Validator global variable contains the correct CAS Server version available in your setup. If it doesn't, edit it so that it does.
If you wish to enable CAS-aware hotlinks in emails, edit the Hotlink Type global variable so that it has a value of CAS.
Embed a correctly formatted hyperlink to within your CAS-enabled product.
Finally, to make sure users log in with SSO after the transition, manually set new passwords for users who should use SSO instead. To do so:
Go to the People table and select every user who should use SSO from this point on.
Don't select every single user in your system. It's best to leave at least one administrator unchanged, if not the whole admin team, in case you encounter SSO issues in the future that prevent users from logging in with SSO. |
Next, go to Setup > System > Manage Global Variables and check the Customized Variables tab for the Hotlink Type variable. If it has been customized, edit it and reset it to the default value of STANDARD.
You might also notice a setting in the People table called SSO Authentication Method. This field is set automatically by the system when you enable SSO, and should not be modified.
Related articles |