Central Authentication Service (CAS) Integration
This document is intended to guide users on how to integrate their organization’s Central Authentication Service (CAS) server as a SSO system to log users into the YuJa Enterprise Video Platform. Once configured properly, a user trying to access YuJa will first be redirected to the CAS server and prompted for credentials. Once authenticated, they will then be redirected back to YuJa where they will be verified and logged in.
Configuration involves authorizing the YuJa Enterprise Video to be able to use the CAS server. Once authorized as a service, integrating with YuJa includes providing the necessary configuration parameters and testing. The next step is activating the new SSO so that users from your institution can logged in via CAS authentication.
NOTE: For some steps, <institution> is to be replaced by the wildcard DNS of the institution associated with YuJa. As an example, for “https://hudson.yuja.com”, <institution> would be replaced by “hudson”.
Authorizing YuJa as a Service in the CAS Server
- Go to the Services Management Console (https://<CAS domain>/cas/services/) of the CAS server, login and click “add new service”.
- In the Name field, enter “YuJa”.
- In the Service URL field, enter “https://<institution>.yuja.com/D/CasHandleTicket” without the quotation marks.
- In the Description field, enter a description.
- For Status, check “Enabled”, “Allowed to Proxy” and “SSO participant”. Do not check “Anonymous Access”.
- For Attributes, the following are required to be provided to YuJa:
- Principal Name (i.e. username)
- Last Name
- For each attribute, keep track of the label used. These will be needed when configuring things on the YuJa side.
- Click Save Changes.
- Principal Name (i.e. username)
- Last Name
NOTE: There are three roles that a YuJa user can be: “Student”, “Instructor”, and “IT Manager”. If the possible values for the Role attribute differ from these 3 options, provide all possible Role values to YuJa and they will map the values to one of the three options.
YuJa Platform Side CAS Configuration
- Navigate to your institution'sYuJa domain (i.e. https://<institution>.yuja.com).
- Login as an IT Manager.
- In the Main Menu located in the top right corner, go to the Admin Panel tab.
- In the left sidebar, go to Integrations.
- Under Select an API to configure, choose SSO – CAS
- Enter the configuration parameters:
- For CAS Server URL, enter “https://<CAS domain>/cas” without the quotations.
- For each attribute label, enter the corresponding values you kept track of when adding YuJa as a service in the CAS Services Management Console.
- Click Create.
- Click OK in the confirmation dialog popup.
- If required, you can update the configuration settings if you made a mistake. Simply click Save to keep the changes.
- To test if the configuration is correct, click Test CAS Login. This should open a new tab and navigate to your CAS server, prompting a login.
- Enter valid login credentials and Login.
- You should be redirected back to YuJa, signed in as a new user.
- NOTE: logging in as a new user may log the original account out. If so, log out of the newly created account and log back in as an IT Manager. Then navigate back to Admin Panel → Integrations → SSO – CAS.
Once you have verified that the CAS SSO works, you can choose to activate the new authentication scheme for your institution. To do so, click Activate, then click OK in the confirmation dialog.
IMPORTANT: Only activate the new authentication scheme after successfully performing a test login and are ready to make it available for all users in your institution.
Dual Integration with LTI
If your institution has enabled both LMS Integration via LTI and also SSO access, then you have the choice to link the two integrations. We generally recommend this because it mean that irrespective of whether your users login via their LMS or their SSO, they will be presented with the same YuJa account information. In contrast, if Dual Integration with LTI is not setup, a user who uses both their LMS and SSO with YuJa will be provisioned with two separate accounts which in many cases isn’t ideal.
How It Works
If your LTI provider within your LMS can be configured to provide YuJa with a unique identifier for the user in the CAS system, it is possible to link the two accounts.
- Configure your LMS to pass a custom LTI parameter to the YuJa tool called lis_person_sourcedid which contains the cross-matching SSO value. This can be an email, employee ID, or other field. You may need to consult your LMS platform’s product documentation on how to set custom LTI parameters. YuJa will make use of this feature to link the two login methods to the same account.
- Obtain the attribute name whose value corresponds to the unique identifier used by the LTI provider.
Enter this value into the Linkage Attribute field. Note: This textbox will only appear if your institution has enabled LTI access.
4. Click Save.
5. Now, when logging in for the first time via CAS, the YuJa system will search for a link with an LTI account using the value of the linkage attribute. If found, the SAML account will be linked to the existing account. Otherwise, a new account will be provisioned as normal. All logins past the first one will continue to link to the YuJa account created or found on the first login.
Once configuration has been completed for both the CAS server side as well as on the YuJa side, and the CAS SSO has been activated, users of your institution will no longer be authenticated by YuJa. Rather, when they navigate to your institution’s YuJa domain, (i.e. https://.yuja.com) and go to login, they will be redirected to the CAS server for authentication, then redirected back to YuJa once authenticate.