The CalNet Sponsored Guest service allows guests to log into your application using their social credential, specifically their Google/Gmail login. In order to get this access, guests need to be invited by a sponsor, which can be any UC Berkeley employee. Upon the guest’s acceptance of the invitation, the CalNet Sponsored Guest service creates an account using the guest’s Google login.
To allow a CalNet Sponsored Guest access to your application:
Contact firstname.lastname@example.org to request access for CalNet Sponsored Guest to your application. Please provide:
your application’s CAS url
your LDAP bind account (optional, but needed for access to the Guests OU)
Make sure your lookup filters, LDAP calls, and code refer to berkeleyEduAffiliations = GUEST-TYPE-SPONSORED and the Guests OU
Guests will not have a CalNetID; they will still have a CalNet Directory UID
The berkeleyEduKerberosPrincipalString will contain (probably "UIDnnnnn" TBD)
Guest accounts may be sponsored by multiple sponsors; any sponsor may re-activate the guest at any time. Your application or your application sponsors will need to actively manage authorization to your guests.
CalNet will do the following:
Ensure that your CAS service definition is specific to your application (not the default wildcard service definition).
Update your CAS service definition to include CalNet Sponsored Guests.
allow berkeleyEduAffiliations = GUEST-TYPE-SPONSORED
Update your CAS service definition to use the CAS “cirrus” theme (which includes the CalNet Sponsored Guest sign in link ).
Update your LDAP bind account to access the Guests OU if needed.
Example of Available Guest Attributes in LDAP:
cn: Guest, MyUCB
berkeleyEduKerberosPrincipalString: TBD, probably "UIDnnnnn"
Mail: email address
berkeleyEduGuestSponsorUid: nnnnnnn (Note that this is the most recent sponsor to invite the guest)
displayName: MyUCB Guest