Leveraging CAS with Luminis
March 28, 2006 | 4 Comments
In SunGard Higher Education's Luminis product one of the many add-on packages you can install is CAS support. CAS is an acronym for Central Authentication Service. This WebISO solution is one of the most common in higher education. CAS was created originally by Yale, but ongoing support has been taken over by JA-SIG. When the CAS package is installed in Luminis, it makes Luminis act as a CAS authentication provider. Coupled with this built-in Luminis support, we use a CAS library called phpCAS that adds to the simplicity of deploying this within our environment.
Time and again, CAS has been proven an effective and simple way for us to quickly drop authentication ability into our homegrown PHP applications. Once a function was developed, this was easily reused across dozens of applications within a few short months. The ease of deployment made it easy to convince various developers to switch from custom authentication schemes.
In a PHP application on any of the servers in your environment you can do something like the following:
-
<?php
-
-
function casify()
-
{
-
// import phpCAS lib (http://esup-phpcas.sourceforge.net/)
-
include_once($GLOBALS['INCLUDES'].'/cas/CAS.php');
-
-
// initialize phpCAS
-
phpCAS::client(CAS_VERSION_2_0,'luminis.institution.edu',443,'cas/');
-
-
// check CAS authentication
-
phpCAS::forceAuthentication();
-
-
// at this step, the user has been authenticated by the CAS server
-
// and the user's login name can be read with phpCAS::getUser().
-
-
return phpCAS::getUser();
-
}
-
-
-
$username = casify();
-
-
// nothing past the execution of casify() would occur without acquiring a valid CAS ticket
-
-
?>
Note: the preceding code is an example. There is more sophisticated functionality that can be accomplished using CAS, this is merely a starting point for people interested in this WebISO technology.
Tags: cas, development, education, higher education, identity management, jasig, luminis, php, phpcas, security, sungard, sungard higher education, web development, yale, yalecas
Web Initial Sign-on (WebISO)
March 8, 2006 | 6 Comments
Web initial sign-on or WebISO is a term defined by Internet2 as a system
designed to allow users, with standard web browsers, to authenticate to web-based services across many web servers, using a standard, typically username/password-based central authentication service.
They created the definition, but that doesn't mean I need to like it... I'd like to propose an alternate working definition:
A single point for web based authentication which provides SSO across multiple systems and services.
I think that could be word-smithed further to really get it nice and concise. Please comment any recommendations you have on this.
What excites me about WebISO solutions is their fantastic ability to deep link systems and services. Users can bookmark or share URLs and when someone accesses these systems and services they will be required to provide credentials and then be directed through to what they need. This also sets up applications in a loosly coupled structure ideal for changing individual services without affecting others.
The drawback of this approach (when compared against a monolithic portal application) is how there is generally not a single welcome screen presented to users after authenticating. This loss of a "funnel" approach can cause weaknesses in communication and a perceived loss of control in your user population. Another potential area for weakness is providing a directory of services and ways for users to find what they need initially.
For those not familiar, a couple examples of real life WebISO tools would be: CAS (now JA-SIG as opposed to Yale), Pubcookie, WebAuth (from Duke), Shibboleth, and more.
Tags: "central authentication service", "web initial sign-on", authentication, cas, definition, duke, federation, identity, identity management, single sign on, sso, webauth, webiso, yale, yale cas