CAS default authorization

Summary

Starting in the Summer/Fall of 2019 CAS will begin enforcing a default authorization policy on applications (also known as CAS clients).

Check back here periodically as this information is subject to change.

Milestone Dates

February 11, 2019:  Implemented in auth-test.berkeley.edu

TBD:  Implement in auth.berkeley.edu

Details

The default authorization policy will allow only the following types of accounts to proceed:

  • Students
  • Staff
  • HCM affiliates

For example: guests, alumni, and test accounts will be denied access by default.

This does not preclude applications from implementing additional authorization rules internally or from requesting a different CAS authorization scheme when they are registered.

For detailed information on how to determine what accounts will be permitted by default see the list of people ou affiliations.

Impact

Existing Applications

If your application is already registered, meaning you have provided the application URLs to the CalNet team, then you will not be impacted by this change.  If, however, you are using CAS and you have not registered your application you will be subject to the new default authorization policy.

New Applications

New applications will be subject to the default authorization policy.  There will be an option to opt-out of default authorizations if your application provides its own authorization logic, or if you wish to have more specific authorizations provided by CAS.  Find out more about the CAS registration process.