All About CAS

March 7, 2016

On Friday, February 19, guests representing a plethora of UC Berkeley web applications came together in University Hall to experience the fun-filled extravaganza that was CalNet’s “CAS-a-Nova.” Following opening words from Paul Rivers, Chief Information Security Officer, and an informative presentation by Jeremy Rosenberg, Manager of the CalNet Identity and Access team, attendees had the opportunity to get to know the faces of CalNet as well as begin the process to set up custom CAS Authorization.

For those who are not familiar, CAS stands for “Central Authentication System” and it’s one of the key components of the CalNet system. The upgrade to CAS 4.1 brings many new functionalities, but most significant is the opportunity for CAS-enabled applications to authorize (AuthZ) as well as authenticate (AuthN) users.

What is authorization?

You’re probably familiar with the CalNet login screen. You see it when you attempt to log in to any campus web application that uses CAS. Prior to this upgrade, as Jeremy put it in his presentation, CAS acted like a bouncer. It checked your ID (in this case, your CalNet ID and passphrase) and if you are who you say you are, you were allowed in.

CAS 4.1 now allows for authorization (AuthZ) too -- that “bouncer” will check not only your ID, but also whether you’re on the guest list. Using CAS AuthZ, web applications can allow or restrict access to users, based on campus affiliations. Using CalGroups, access can be designated to affiliations such as students, employees, or guests, making each web application as open or closed as it needs to be. CAS AuthZ has the potential to greatly improve security on campus as administrators can more easily limit access to their web application.

In addition to the exciting new capability to authorize groups, 4.1 comes with other benefits. Among them, according to Jeremy, are better management tools and the ability to offload authentication to external CAS servers which results in “a much smoother onboarding process for new admits, as they are able to get a set of credentials before accepting their offer of admission.” The upgrade also “allows us to better keep up with the CAS community, who are constantly developing new software and tools that require our system to be up-to-date.”

What’s next?

Noting that 4.1 was a “truly significant upgrade to the CAS software,” Jeremy also pointed out the importance of maintaining “the best software to set us up for whatever the future has in store.” But what exactly does the future have in store?

According to Paul Rivers, Cal’s future holds another another big change to the way we think about logging in: multi-factor authentication. Multi-factor authentication increases security by requiring a secondary source - think cell-phone or hardware such as a Yubi key - in the verification process. It’s a need that he says has been recognized ”for a number of years, and has only continued to grow. Out of all possible security measures, the acquisition of multi-factor authorization is among the top three things prioritized for Information Security here at Berkeley.”

If you missed out on all the fun that was “CAS-a-Nova” but would like some more information on how to integrate the new functionalities, you can watch Jeremy’s presentation online at:

Marc Breault

CalNet Assistant