CalNet Sponsored Guest Integration

The CalNet Sponsored Guest service allows guests to log into your application using their social credential, specifically their Google/Gmail login. In order to get this access, guests need to be invited by a sponsor, which can be any UC Berkeley employee. Upon the guest’s acceptance of the invitation, the CalNet Sponsored Guest service creates an account using the guest’s Google login.

 

To allow a CalNet Sponsored Guest access to your application:

  • Contact calnet-admin@berkeley.edu to request access for CalNet Sponsored Guest to your application. Please provide:

    • your application’s CAS url

    • your LDAP bind account (optional, but needed for access to the Guests OU)

  • Make sure your lookup filters, LDAP calls, and code refer to berkeleyEduAffiliations = GUEST-TYPE-SPONSORED  and the Guests OU

  • Guests will not have a CalNetID; they will still have a CalNet Directory UID

  • The berkeleyEduKerberosPrincipalString will contain (probably "UIDnnnnn" TBD)

  • Guest accounts may be sponsored by multiple sponsors; any sponsor may re-activate the guest at any time. Your application or your application sponsors will need to actively manage authorization to your guests.

CalNet will do the following:

  • Ensure that your CAS service definition is specific to your application (not the default wildcard service definition).

  • Update your CAS service definition to include CalNet Sponsored Guests.

    • allow berkeleyEduAffiliations = GUEST-TYPE-SPONSORED

  • Update your CAS service definition to use the CAS “cirrus” theme (which includes the CalNet Sponsored Guest sign in link ).

  • Update your LDAP bind account to access the Guests OU if needed.

Example of Available Guest Attributes in LDAP:

dn: uid=nnnnnn,ou=guests,dc=berkeley,dc=edu
objectClass: berkeleyEduPerson
objectClass: eduPerson
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: ucEduPerson
cn: Guest, MyUCB
sn: Guest
uid: nnnnnn
berkeleyEduKerberosPrincipalString:  TBD, probably "UIDnnnnn"

Mail:  email address

berkeleyEduAffiliations: GUEST-TYPE-SPONSORED
berkeleyEduConfidentialFlag: false
berkeleyEduGuestSponsorUid: nnnnnnn  (Note that this is the most recent sponsor to invite the guest)
displayName: MyUCB Guest
givenName: MyUCB
ou: guests