CAS Configuration

Follow

CAS (Central Authentication System) is an identity provider than can be integrated into Ensemble Video for a single sign-on user experience.

Prerequisites on CAS Server

  • SAML 11 support is required
  • Must release attributes for givenName, surname, email, primary role

Prerequisites on Ensemble Server

  • Must have Ensemble Video 4.2 or higher

Ensemble 4.2 and higher creates a top level folder in IIS called CAS. This folder (i.e. C:\inetpub\wwwroot\ensemble\cas)  contains configuration files  (web.config, configs/authentication.config and configs/cas-client.config) that are used to configure CAS client for your installation. In IIS Manager this folder must be converted into the IIS Application

CAS Client Setup

Locate and edit the configs/cas-client.config file. It contains CAS Client settings; at minimum you must configure:

  • casServerLoginUrl = URL to login on CAS server
  • casServerUrlPrefix = root of CAS server application
  • serverName = root of ensemble server
  • ticketValidatorName = SamI11 (only SamI11 will release attributes)

For example:

   <casClientConfig
        casServerLoginUrl=”https://casserver.domain.com/cas/login”
        casServerUrlPrefix=”https://casserver.domain.com/cas”
        serverName="https://ensemble.evdomain.com"
        ticketValidatorName="Saml11"   …  />

 

Locate and edit the configs/authentication.config file. It contains CAS Authentication settings; at minimum you must configure:

  • LoginUrl = URL to login on CAS server
  • Name = name of the cookie (string of characters)

For example:

   <forms
       loginUrl=”https://casserver.domain.com/cas/login“
       name="evCas"  …  />

Application Settings in web.config:

  • DebugMode = If “true” system will display CAS information on the page and you must manually complete the transfer to ensemble (click a link).

Ensemble Setup 

  • Enable CAS Authentication in  Administration > System > Settings > Enable CAS

cas1.PNG

  • Create CAS identity provider. Domain should match the name of the IIS cas application. For example, if you created C:\inetpub\wwwroot\ensemble\cas3 folder and converted it into IIS application cas3, the Domain should be /cas3

cas2.PNG

  • Setup a least one provisioning rule so that the identity can be created in ensemble and set to a library

cas3.PNG

Notes

  • Multiple-institution support comes from multiple copies of https://ensemble.evdomain.com/cas, https://ensemble.evdomain.com/cas2 etc. Each would have a separate web.config and CAS settings, pointing back to their respective CAS server
  • Attribute support is required, which means CAS auth with Saml11 protocol

Step by Step : How It Works

  1. Entry page (Institution Branded page, perhaps) redirects to https://ensemble.evdomain.edu/cas
  2. https://ensemble.evdomain.edu/cas starts CAS authentication based on settings in CAS client configuration files, redirects the end-user to institutional CAS server
  3. End-user authenticates to the institutional CAS server, and on auth success redirects back to https://ensemble.evdomain.edu/cas
  4. https://ensemble.evdomain.edu/cas
    • Groks the CAS attributes creating a CasAssertionModel, (required because ensemble needs provisioning)
    • Sets an ensemble authentication cookie
    • Redirects to https://ensemble.evdomain.edu/app/casauth/
  5. https://ensemble.evdomain.edu/app/casauth
    • Performs provisioning based on rules and the attributes in the CasAssertionModel
    • Sets an ensemble authentication cookie
    • Redirects to the user's default library
0 out of 0 found this helpful