GDPR and security
      Back to home
      1. Help Center
      2. GDPR and security

      SSO via CAS (Central Authentication Service)

      What is SSO via CAS (Central Authentication Service) and how does it work at Beetween?

      What is SSO via CAS?


      SSO via CAS is a feature that authenticates a user to a CAS (Central Authentication Service) server via the OAuth (Open Authorization) authorization delegation protocol.

      How does SSO via CAS work?


      SSO via CAS establishes a correspondence between CAS users and Beetween users. To identify the user in its system, Beetween reconstructs his login from his CAS identifier and the domain name of his structure (@domain-structure.xxx).

      For example, for a structure whose domain name is “domain.com”, if a user's CAS ID is “jmartin”, Beetween will search its system for an account with the login “jmartin@domain.com”.

      You therefore need to provide us with a mapping between your users' e-mail addresses and their CAS IDs, as illustrated below:

      E-mail address Jean Martin / CAS ID: jmartin@domain.com / 123ui9
      E-mail address Pierre Bernard / CAS ID: pbernard@domain.com / 1a093ui9


      Ideally, you should provide us with a test account so that we can check that the authentication process is working properly. We'll also need your clientId and the URL of your CAS server (“cas.univ.xx;xxxx” for example) to configure your SSO. We'll come back to this below.

      What about your side?


      You need to configure your server to allow Beetween to query your user base. As mentioned above, communication between Beetween and your CAS server takes place via the OAuth protocol. Beetween can send you the IP addresses of the servers you wish to authorize, if required.

      Below is an example of the configuration that has been implemented. The model may vary depending on the CAS server version (see Client Registration - OAuth Authentication).

      {
        "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
        "clientId": "xxxxx",
        "serviceId" : "https://[a-zA-Z0-9]+\.beetween.com/.*",
        "name" : "OAuthService",
        "id" : xxx,
          "attributeReleasePolicy" :
          {
            "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
            "authorizedToReleaseCredentialPassword": "false",
            "authorizedToReleaseProxyGrantingTicket": "false",
            "excludeDefaultAttributes": "true",
            "authorizedToReleaseAuthenticationAttributes": "false",
            "allowedAttributes": ["java.util.ArrayList",
              [
                "mail",
                "displayName"
              ]
            ]
          }
      }


      Once you've configured your CAS server, you need to send us your clientId and the URL of your CAS server, so that we can carry out the settings.

      What next?


      Once your SSO connector has been set up, Beetween will provide you with a connection URL enabling you to use it. Here's how CAS SSO works once you've set it up:

      1. Go to the Beetween login page using the URL provided;

      2. Click on “Connect with [Name of your structure]”, and a pop-up window will open, allowing you to identify yourself with your CAS credentials;

      3. Log in to your CAS ;

      4. The token is then retrieved;

      5. Login is also possible, thanks to the token (the Microsoft Graph API is used);

      6. You are authenticated with the login and connected to Beetween.

      💡 If you enter the wrong credentials, the pop-up closes and an error message appears on the Beetween login page.

      🚀 To go further…


      The process used for authentication is implicit flow, which will evolve in the future.