Central Authentication Service (CAS) is the most common centralized web authentication Single Sign On (SSO) protocol for intra-organization authentication. SunGardHE Luminis 5 supports CAS, simplifying Luminis to Learn SSO.
When creating a CAS type provider, the Provider Settings Link Text and icon appear in the Sign In Using section of the login page.
The CAS logout options impact user behavior in a manner which may appear outside the intention of Single Sign On (SSO).
Specifically Require Credentials is set to 'Yes' when Global Logout is set to 'No'. While this may seem outside the convenience and scope of SSO, Learn CAS is implemented in this manner for security purposes.
When Global Logout is set to 'Off', logging out of Learn only destroys the Learn session and leaves the browser with a valid CAS ticket for the currently authenticated user. Should the user then leave the computer with the browser open (thus leaving the CAS ticket active) the next person using the computer will have access to the originally authenticated user's accounts. Thus Require Credentials secures the Learn account from accidental access by an otherwise unauthorized user by forcing re-authentication when reestablishing a Learn session. Please note that this setting does not protect other user services which utilize CAS SSO as the CAS ticket remains intact.
Setting Global Logout to 'On' destroys the Learn Session and directs the user to the CAS logout page for logging out of the CAS service, and allows the configuration of Require Credentials enabling expected SSO behavior of not having to provide credentials for existing CAS ticket holders (Require Credentials = 'No') or forcing re-credentialing for log on to Learn to meet Institutional security policies (Require Credentials = 'Yes').
These settings provide a functional degree of flexibility while protecting your Learn installation from potential and untraceable abuse due to user misinterpretation of the logout process.
Follow these steps to configure a CAS provider.
- Provide your CAS Server URL Prefix, for example, https://cas.example.edu/cas
- Optionally, set the:
- Global Logout as No. The default is Yes. Selecting No indicates that a user should not be redirected to the CAS server's logout page after logging out of Learn, for example, https://cas.example.edu/cas/logout
- Require Credentials as Yes. The default is No. Selecting Yes indicates that the CAS server should always prompt a user for his or her username and password, and allows SSO when a CAS session already exists. If Global Logout is set to No, this is enabled automatically.
- Select Submit to save the configuration.
Note: If the CAS server is using SSL, you need a commercially signed certificate or authentication may fail. If the CAS server uses self-signed certificates, import the certificate into the trusted keystore of the Blackboard Learn application server's JDK.