CalNet Sponsored Guest Integration

The CalNet Sponsored Guest service allows guests to log into your application using their personal Google/Gmail login. In order to get this access, guests need to be invited by a sponsor, which can be any UC Berkeley employee. Upon the guest’s acceptance of the invitation, the CalNet Sponsored Guest service creates an account using the guest’s Google login.

To allow CalNet Sponsored Guests access to your application:

  • Open a Service Request in Service Now to Modify your CAS service.  Please include the following information:

    • Service Name: your application name

    • Service URL: your application CAS url

    • Please describe the changes you need to make to your CAS service in detail: include your LDAP bind account, and a note that you want to allow Sponsored Guests to access your service.

  • Make sure your lookup filters, LDAP calls, and code refer to berkeleyEduAffiliations = GUEST-TYPE-SPONSORED  and the Guests OU

CalNet will do the following:

  • Ensure that your CAS service definition is specific to your application (not the default wildcard service definition).

  • Update your CAS service definition to include CalNet Sponsored Guests.

    • allow berkeleyEduAffiliations = GUEST-TYPE-SPONSORED

  • Update your CAS service definition to use the CAS “cirrus” theme (which includes the CalNet Sponsored Guest sign in link ).

  • Update your LDAP bind account to access the Guests OU if needed.

Important changes regarding Sponsored Guests:

  • Sponsored Guests do not have a CalNetID; they do still have a CalNet UID
  • The berkeleyEduKerberosPrincipalString will contain uidNNNNNNN where the NNNs are the UID value

  • Sponsored Guest accounts may be sponsored by multiple sponsors; any sponsor may re-activate the guest at any time. Your application or your application sponsors will need to actively manage authorization to your guests.

Example of Available Guest Attributes in LDAP:

dn: uid=NNNNNNN,ou=guests,dc=berkeley,dc=eduobjectClass: berkeleyEduPersonobjectClass: eduPersonobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topobjectClass: ucEduPersoncn: Guest, MyUCBsn: Guestuid: NNNNNNNberkeleyEduKerberosPrincipalString:  uidNNNNNNN
mail:  <guest email address>
berkeleyEduAffiliations: GUEST-TYPE-SPONSORED
berkeleyEduConfidentialFlag: false
berkeleyEduGuestSponsorUid: nnnnnnn  (Note that this is the most recent sponsor to invite the guest)
displayName: MyUCB Guest
givenName: MyUCB
ou: guests

Need more help? Email calnet-admin@berkeley.edu for assistance.