CAS (Central Authentication System) is an identity provider than can be integrated into Ensemble Video for a single sign-on user experience.
- Prerequisites on CAS Server
- Pre-Requisites on Ensemble Server
- CAS Client Setup
- Ensemble Setup
- Notes
- Step by Step : How It Works
Prerequisites on CAS Server
- SAML 11 support is required
- Must release attributes for givenName, surname, email, primary role
Prerequisites on Ensemble Server
- Must have Ensemble Video 4.2 or higher
Ensemble 4.2 and higher creates a top level folder in IIS called CAS. This folder (i.e. C:\inetpub\wwwroot\ensemble\cas) contains configuration files (web.config, configs/authentication.config and configs/cas-client.config) that are used to configure CAS client for your installation. In IIS Manager this folder must be converted into the IIS Application
CAS Client Setup
Locate and edit the configs/cas-client.config file. It contains CAS Client settings; at minimum you must configure:
- casServerLoginUrl = URL to login on CAS server
- casServerUrlPrefix = root of CAS server application
- serverName = root of ensemble server
- ticketValidatorName = SamI11 (only SamI11 will release attributes)
For example:
<casClientConfig
casServerLoginUrl=”https://casserver.domain.com/cas/login”
casServerUrlPrefix=”https://casserver.domain.com/cas”
serverName="https://ensemble.evdomain.com"
ticketValidatorName="Saml11" … />
Locate and edit the configs/authentication.config file. It contains CAS Authentication settings; at minimum you must configure:
- LoginUrl = URL to login on CAS server
- Name = name of the cookie (string of characters)
For example:
<forms
loginUrl=”https://casserver.domain.com/cas/login“
name="evCas" … />
Application Settings in web.config:
- DebugMode = If “true” system will display CAS information on the page and you must manually complete the transfer to ensemble (click a link).
Ensemble Setup
- Enable CAS Authentication in Administration > System > Settings > Enable CAS
- Create CAS identity provider. Domain should match the name of the IIS cas application. For example, if you created C:\inetpub\wwwroot\ensemble\cas3 folder and converted it into IIS application cas3, the Domain should be /cas3
- Setup a least one provisioning rule so that the identity can be created in ensemble and set to a library
Notes
- Multiple-institution support comes from multiple copies of https://ensemble.evdomain.com/cas, https://ensemble.evdomain.com/cas2 etc. Each would have a separate web.config and CAS settings, pointing back to their respective CAS server
- Attribute support is required, which means CAS auth with Saml11 protocol
Step by Step : How It Works
- Entry page (Institution Branded page, perhaps) redirects to https://ensemble.evdomain.edu/cas
- https://ensemble.evdomain.edu/cas starts CAS authentication based on settings in CAS client configuration files, redirects the end-user to institutional CAS server
- End-user authenticates to the institutional CAS server, and on auth success redirects back to https://ensemble.evdomain.edu/cas
- https://ensemble.evdomain.edu/cas
- Groks the CAS attributes creating a CasAssertionModel, (required because ensemble needs provisioning)
- Sets an ensemble authentication cookie
- Redirects to https://ensemble.evdomain.edu/app/casauth/
- https://ensemble.evdomain.edu/app/casauth
- Performs provisioning based on rules and the attributes in the CasAssertionModel
- Sets an ensemble authentication cookie
- Redirects to the user's default library