UH Login
- mhodges
- Baron Fujimoto
- Julio Polo
Table of Contents
Overview
The UH Login utilizes the open-source Apereo Central Authentication Service (CAS) to provide enterprise single-signon services.
For security and anti-phishing purposes, and for compliance with UH Data Governance policies and procedures, the UH Login (CAS) requires that application developers register their production application URLs with ITS in order to interoperate with CAS, including client-based application URLs.
See also the attached CAS Quick Introduction, which includes diagrams depicting how CAS works. There is also this video of a CAS presentation we did in 2014.
CAS vs Shibboleth Integrations
Enterprise on-premise integrations:
Our CAS service is primarily used for integrating UH one-premise enterprise applications and applications developed by the UH application developer community to support UH academic and business processes.
Cloud service provider integrations:
Our Shibboleth Identity Provider service is primarily used for cloud service provider integrations and includes a tailored attribute release policy for each service that is not onboard with the InCommon federation. In some circumstances a Cloud service provider that requires no attributes other than UH Username and confirmation of a successful authentication may use CAS. In either case the UH office for Data Governance will need to approve.
More information is available here: <Shibboleth IdP Single Sign-On>.
CAS URL Registration Form
Please complete the Web App Registration Form so that we have the necessary information for your application. Please note that all requests are subject to the UH Data Governance Committee policies and procedures. Please note that you must be UH Faculty or Staff to make this request.
CAS URL registration requests are subject to UH Data Governance policies that prohibit utilization of governed resources such as this one for purposes not stated. For implementations not hosted in the UH Data Center, an approved Data Governance Process (DGR – formerly known as a Data Sharing Request, or DSR) will be required. Check <here> for details on how to obtain a Data Governance Process (DGR) approval.
Starting January 1, 2022 CAS URL registration requests require https. Support for new http requests are now discontinued.
TIP: 3rd Party Hosting
Question: I'm planning to submit a Data Governance Process request form because my application will use UH Login (CAS) but is being hosted by a 3rd-party provider cloud provider:
Answer: 3rd-party cloud providers should be directed to our Shibboleth service instead. Data Governance generally will not approve CAS integrations with 3rd-party cloud providers.
TIP: One Host, Many URLs
Question: If I wanted to use CAS with additional URLs that reside on the same domain, do I have to register each URL individually?
Answer: Generally, per Data Governance policy, each URL that serves a different purpose should have its own CAS registration request. E.g., if /distancelearning, /servicelearning, and /ekamakanihou are distinct services from each other, then each should be registered individually.
Firewall Access
To use our UH Login services (production environment), users and service providers should allow access to the following:
- idp.hawaii.edu
- authn.hawaii.edu
Developer Documentation
UH Login (CAS) application developer documentation