Apereo CAS provides centralized authentication for supported web applications. It is one of the two standard mechanisms for authentication at NDSU and is used where possible. It is the preferred mechanism for providing authentication for internal NDSU resources, and secondary for external resources after InCommon.
CAS usage for an application requires approval, which is easy to obtain. To use CAS in your application or your vendor's application please contact the NDSU Help Desk.
CAS as implemented at NDSU supports these protocols
- CAS 2.0
Not recommended, does not have extended attributes.
- CAS 3.0
Preferred CAS protocol. Allows for attribute return.
- SAML 1.1
Preferred SAML protocol. Allows for attribute return.
- SAML 2.0
Allows for attribute return.
Single sign on is available but not enabled unless requested. Single sign out is not supported.
The following assumptions are valid.
- User ids are unique: Returned user ids by CAS are the unique IID / eID that is typically of the form firstname.lastname.
- User ids are lower case: User ids are always returned in lower case.
- Usernames are not email addresses: While CAS does allow email@example.com, the username attribute never contains domains.
- services attribute is authoritative: The services attribute is maintained by ECI.
- nid never changes: The NID is a numeric attribute for users that never change and are appropriate for use as Unix numeric ids.
The following are not valid assumptions
- Authentication implies authorization: Authentication does not imply anything about the relationship of the user with NDSU. Guests, affiliates, and other accounts can authenticate against NDSU CAS.
- User IDs are unchanging: User IDs (iid / eID) are frequently changed by end users. However, each ID will only reference one person.
- User ids have meaning: User ids have no meaning, and none should be taken from the id.
- Additional attributes have been verified: Many other attributes can be returned by CAS. However, not all of these have been verified or are authoritative. The only authoritative attributes are username (iid/eID), uid, nid, and services.
The following settings are for production CAS
- Host: apps.ndsu.edu
- Port: 443
- Path: /cas/
CAS 3.0 Service Validation
CAS 2.0 Service Validation
SAML Service Validation
SAML 2.0 Metadata
The following are possible attributes that can be returned in SAML 1.1, SAML 2.0, and CAS 3.0 responses. How to retrieve these attributes.
- displayName: givenName + sn
- eduPersonEntitlement: List of entitlement identifiers granted to the individual
- eduPersonPrincipalName: Same ePPN as provided via InCommon, scoped to @ndsu.edu. Will change over time
- eduPersonUniqueId: Same ePUID as provided via InCommon, scoped to @ndsu.edu. Will not change for a given account. Is not shared across multiple accounts for a single user. This is the best choice for an immutable value to identify as a user.
- givenName: Given name, normally preferred name from PeopleSoft
- mail: Email address for the user
- memberOf: List of Active Directory group memberships
- name: givenName + sn
- nid: Unix numeric id. This is immutable
- scopedAffiliation: Same ePSA as provided via InCommon. See eduPersonScopedAffiliation values section, below
- sn: Surname normally preferred last name from PeopleSoft
- uid: Deprecated. You should not use this attribute for new integrations.
- username: The user's user name. This is the IID / eID normally used by the user. It has been cleaned up to remove any domain and trimmed.
eduPersonScopedAffiliation is provided by Shibboleth and CAS (under scopedAffiliation). This can be, and most likely is, a multivalued field. Currently these are the values and meanings associated with those values.
- firstname.lastname@example.org: Indicates that the account belongs to someone who is a member of the NDSU community and should receive services and access accordingly. Generally this is set by having one of the affiliations below.
- email@example.com: Indicates that the person is currently enrolled as a student for at least one credit at NDSU. This is cleaned up during fall and spring purges. Additionally, after the last day to add online for fall and spring semesters this is also cleaned up. This means that students from the spring will remain marked as students over the summer, even if they are not enrolled for credits during summer. This implies firstname.lastname@example.org.
- email@example.com: Indicates that the person is employed with the institution in some way. This includes faculty, staff, student employees, and temporary employees. This implies firstname.lastname@example.org.
- email@example.com: Indicates that the person is employed as a staff member with the institution. This implies firstname.lastname@example.org.
- email@example.com: Indicates that the person is employed as a faculty member with the institution. This implies firstname.lastname@example.org.