This document is intended to guide users on how to integrate their organization’s Central Authentication Service (CAS) server as a SSO system to log users into the YuJa Enterprise Video Platform. Once configured properly, a user trying to access the Video Platform will first be redirected to the CAS server and prompted for credentials. Once authenticated, they will then be redirected back to the Video Platform where they will be verified and logged in.
Configuration involves authorizing the the Video Platform to be able to use the CAS server. Once authorized as a service, integrating with the Video Platform includes providing the necessary configuration parameters and testing. The next step is activating the new SSO so that users from your institution can logged in via CAS authentication.
For some steps, <organization> is to be replaced by the wildcard DNS of the institution associated with the Video Platform. As an example, for “https://hudson.yuja.com”, <organization> would be replaced by “hudson”.
Authorizing the Video Platform as a Service in the CAS Server
- Go to the Services Management Console (https://<CAS domain>/cas/services/) of the CAS server, login and click Add New Service.
- In the Name field, enter YuJa.
- In the Service URL field, enter 'https://<organization>.yuja.com/D/CasHandleTicket' without the quotation marks.
- In the Description field, enter a description.
- For Status, check Enabled, Allowed to Proxy and SSO participant. Do not check Anonymous Access.
- For Attributes, the following are required to be provided to the Video Platform. For each attribute, keep track of the label used. These will be needed when configuring things on the the Video Platform side.
- Principal Name (i.e. username)
- Last Name
There are three roles that the Video Platform user can be: “Student”, “Instructor”, and “IT Manager”. If the possible values for the Role attribute differ from these 3 options, provide all possible Role values to the Video Platform and they will map the values to one of the three options.
The Video Platform Side CAS Configuration
- Navigate to your institution's Video Platform Zone and login as an IT Manager.
- In the Main Menu located in the top right corner, go to the Admin Panel tab.
- In the left sidebar, go to Integrations.
- Under Select an API to configure, choose SSO – CAS.
- Enter the configuration parameters:
- CAS Server URL: https://<CAS domain>/cas
- For each attribute label, enter the corresponding values you kept track of when adding the Video Platform as a service in the section titled Authorizing the Video Platform as a Service in the CAS Server.
Once you have verified that the CAS SSO works, you can choose to activate the new authentication scheme for your institution. To do so, click Activate, then click OK in the confirmation dialog.
Only activate the new authentication scheme after successfully performing a test login and are ready to make it available for all users in your institution.
Dual Integration with LTI
If your institution has enabled both LMS Integration via LTI and also SSO access, then you have the choice to link the two integrations. We generally recommend this because it mean that irrespective of whether your users login via their LMS or their SSO, they will be presented with the same the Video Platform account information.
In contrast, if Dual Integration with LTI is not setup, a user who uses both their LMS and SSO with the Video Platform will be provisioned with two separate accounts which in many cases isn’t ideal. If your LTI provider within your LMS can be configured to provide the Video Platform with a unique identifier for the user in the CAS system, it is possible to link the two accounts.
- Configure your LMS to pass a custom LTI parameter to the Video Platform tool called lis_person_sourcedid which contains the cross-matching SSO value. This can be an email, employee ID, or other field. You may need to consult your LMS platform’s product documentation on how to set custom LTI parameters. The Video Platform will make use of this feature to link the two login methods to the same account.
- Obtain the attribute name whose value corresponds to the unique identifier used by the LTI provider.
- Enter this value into the Linkage Attribute field such as external. This is the same attribute that is found in attribute-repository.json file found in C:\etc\cas in the CAS server. This textbox will only appear if your institution has enabled LTI access.
- Click Save Cross-Integration.
Now, when logging in for the first time via CAS, the Video Platform will search for a link with an LTI account using the value of the linkage attribute. If found, the CAS account will be linked to the existing account. Otherwise, a new account will be provisioned as normal. All logins past the first one will continue to link to the the Video Platform account created or found on the first login.
Once configuration has been completed for both the CAS server side as well as on the the Video Platform side, and the CAS SSO has been activated, users of your institution will no longer be authenticated by the Video Platform. Rather, when they navigate to your institution’s Video Platform Zone and go to login, they will be redirected to the CAS server for authentication, then redirected back to the Video Platform once authenticate.
Admins can implement a secondary CAS provider. To enable this feature, please contact your Customer Success Manager.