Single Sign-On (CAS)
Central Authentication Service (CAS) SSO
Your school can be configured to use CAS SSO. Here are the steps for the CAS single sign-on authentication process:
- A CAS 2.0 or 3.0 server is setup and available for TI to access.
- In your instance settings, specify the URL to the CAS server serviceValidate endpoint. If your CAS server is available at https://casserver.org/, then your CAS serviceValidate endpoint is most likely: https://casserver.org/serviceValidate for CAS 2.0 or https://casserver.org/p3/serviceValidate for CAS 3.0
- Direct your users to login to your CAS server with the “service” parameter set to the URI-encoded Thought Industries CAS endpoint: https://myschool.thoughtindustries.com/access/cas or https://www.myvanityurl.com/access/cas
For example:
https://casserver.org/login?service=https%3A%2F%2Fmyschool.thoughtindustries.com%2Faccess%2Fcasor
https://casserver.org/login?servYou can optionally specify a URL of a page to redirect the user to after successful authentication.
Here’s example redirecting to the course catalog:
https://casserver.org/login?service=https%3A%2F%2Fmyschool.thoughtindustries.com%2Faccess%2Fcas%3FreturnTo%3Dhttps%3A%2F%2Fmyschool.thoughtindustries.com%2Fcatalog or https://casserver.org/login?service=https://www.myvanityurl.com%2Faccess%2Fcas%3FreturnTo%3Dhttps://www.myvanityurl.com%2FcatalogYou can optionally specify a license ID to connect the incoming user with a particular license within a Client. To find a license ID, if you are using sublicense functionality, you will see a license ID when you click “Edit” on any sublicense. If you are not using sublicense functionality, you will see a license ID on the “Master License” tab. Only one license can be specified. Treat this license ID as a secret, similar to a password.
https://casserver.org/login?service=https://www.myvanityurl.com%2Faccess%2Fcas%3FlicenseId%3D5090b9e3-5542-4050-b863-8429fc03ad5bBoth a returnTo and a licenseId can be specified within the same request:
https://casserver.org/login?service=https://www.myvanityurl.com%2Faccess%2Fcas%3FlicenseId%3D5090b9e3-5542-4050-b863-8429fc03ad5b%26returnTo%3Dhttps://www.myvanityurl.com%2FcatalogThought Industries validates the ticket on your CAS server and then grants the user access and directs them to the specified returnTo URL, or the student dashboard if no URL was provided.
If first name, last name, and/or email were not provided in the CAS response, the student will be directed to a screen asking for that additional information. After filling in the fields and clicking submit, the student will then be directed to your specified returnTo URL, or the student dashboard if no URL was provided.
Thought Industries uses the cas:user in the ticket validation response to uniquely identify the user. If a user already exists with this identifier, their information will be updated.
Additionally, Thought Industries recognizes the following CAS 3.0 attributes:
| cas:firstname | First name of the user being signed in. |
| cas:lastname | Last name of the user being signed in. |
| cas:email | Email address of the user being signed in. |
The following is complete example of a successful CAS ticket validation including all optional attributes:
<?xml version="1.0" encoding="UTF-8"?>
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>test</cas:user>
<cas:attributes>
<cas:firstname>bob</cas:firstname>
<cas:lastname>jones</cas:lastname>
<cas:email>[email protected]</cas:email>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>