CAS Authorizations

Summary

Starting February 18,  2020, CAS will begin enforcing a default authorization policy on applications (also known as CAS clients).

Check back here periodically as this information is subject to change.

Milestone Dates

February 11, 2019:  Implemented in auth-test.berkeley.edu

February 18, 2020:  Implement in auth.berkeley.edu

Impact

Existing Applications

If your application is already registered, meaning you have provided the application URLs to the CalNet team, then you will not be impacted by this change.  If, however, you are using CAS and you have not registered your application you will be subject to the new default authorization policy.

New Applications

New applications will be subject to the default authorization policy.  There will be an option to opt-out of default authorizations if your application provides its own authorization logic, or if you wish to have more specific authorizations provided by CAS.  Find out more about the CAS registration process.

CAS Authorizations

The intent of CAS authorizations is to ensure that all registered services are providing some level of authorization, and configuring a CalNet default authorization if they are not.

All services should have a Default AuthZ or some combination of CAS Service AuthZ and application AuthZ.

Default AuthZ 

This is applied as a required attribute in the CAS Service Definition.  The attribute will check that the authenticating principal is a member of the default authZ group.

The current makeup of the Default AuthZ CalGroups group is:

  • All SPA UIDs (SPAs are allowed if both the SPA UID and User UID is allowed)

  • CalNet Test Accounts and rSPAs with AFFILIATE-TYPE-TEST

  • CalNet Departmental Accounts

  • Active Employees, UCPath Affiliates, and Students

  • Employees, UCPath Affiliates, and Students in Grace Period

Note: Guests and Alumni are not allowed.

CAS Service AuthZ

Service AuthZ can be provided several different ways, and typically, all of these ways can be combined together in the service registration to achieve the desired result.

  • LDAP Affiliations

  • CalGroups Access Group

  • CalGroups Official Groups: Add the CalGroups Official group to the service definition.

  • CalGroups Allow/Deny Groups 

Application AuthZ

If the application owner has opted out of CAS or Default AuthZ, then the only authorization rules will be performed at the application level.

The application may decide to mix CAS Service AuthZ and Application AuthZ as well.