Starting in the Summer/Fall of 2019 CAS will begin enforcing a default authorization policy on applications (also known as CAS clients).
Check back here periodically as this information is subject to change.
February 11, 2019: Implemented in auth-test.berkeley.edu
TBD: Implement in auth.berkeley.edu
The default authorization policy will allow only the following types of accounts to proceed:
- HCM affiliates
For example: guests, alumni, and test accounts will be denied access by default.
This does not preclude applications from implementing additional authorization rules internally or from requesting a different CAS authorization scheme when they are registered.
For detailed information on how to determine what accounts will be permitted by default see the list of people ou affiliations.
If your application is already registered, meaning you have provided the application URLs to the CalNet team, then you will not be impacted by this change. If, however, you are using CAS and you have not registered your application you will be subject to the new default authorization policy.
New applications will be subject to the default authorization policy. There will be an option to opt-out of default authorizations if your application provides its own authorization logic, or if you wish to have more specific authorizations provided by CAS. Find out more about the CAS registration process.