Setting up CAS authentication

CAS or Central Authentication Service refers to a web-based single sign-on protocol and corresponding open source software application, through which a user can log in once using a single ID and password and gain access to multiple applications during the same session. Portfolio administrators can use CAS authentication to control access to personalized or patron-only features in Portfolio, including the My Account page and Place Hold action. For example, if Portfolio shares a CAS server with a university portal, when a student logs in to the portal, the student can also access the My Account page in Portfolio during the same session, without needing to re-enter a username and password.

When using CAS authentication, the Portfolio login dialog box is not displayed. Instead, after clicking Log In, the web browser redirects the patron to the CAS server login page—or to the SAML or OpenID Connect identity provider to which the CAS server has delegated authentication. After logging into the CAS server or the delegate identity provider—or if the patron has already logged in earlier—the browser redirects the patron back to Portfolio where the patron is now logged in.

Portfolio supports Single Logout (SLO) when using CAS authentication, subject to the CAS service registry configuration. Consequently, clicking Log Out in Portfolio also ends your CAS session. Additionally, ending your CAS session by another means also automatically ends your Portfolio session. For more information, see Setting up CAS Single Logout.

If turned on, CAS authentication in Portfolio is available to patrons, but does not work with administrator accounts when logging in to the Admin console. For profiles that have been set up to require authentication (see Fields: Add/Edit/Copy Profile), if the patron isn't logged in to the CAS server, authentication will be required before viewing any page under that profile. Otherwise, authentication is only a prerequisite for accessing My Account functions.

To turn on CAS authentication in Portfolio, you will need to do the following:

Before you can connect Portfolio to a CAS server, SirsiDynix will need to enable CAS authentication in SirsiDynix Horizon or SirsiDynix Symphony. Additionally, you will need to add the CAS username to each patron's borrower or user record in Horizon or Symphony respectively. For more information, contact SirsiDynix Customer Support.

To add a CAS authentication server to Portfolio

  1. Log in to the Admin console.

  2. Click Security from the navigation pane.

  3. Click Authentication Servers.

  4. Click Add CAS Server.

  5. Complete the fields, as necessary. For more information, see Fields: Add/Edit CAS Authentication Server.

    Important: Make sure that you have selected a Web Services definition. Portfolio cannot authenticate CAS logins without a Web Services definition selected.

  6. When you have finished, click OK.

To set up CAS authentication in a profile

  1. Click Profiles from the navigation pane.

  2. Click Edit () alongside the profile that you want to use CAS authentication.

  3. Under Security Options, select the CAS authentication server from the drop-down list at the bottom of this section.

    Note: If you do not see a drop-down list, click Add Authentication Server and one will appear directly below.

    Individual profiles that use CAS authentication can use multiple authentication servers, but only when all are CAS. Mixing CAS and Non-CAS authentication servers in a single profile generates errors.

    Portfolio administrators wanting to use Horizon or Symphony logins alongside CAS authentication—for example, as a fallback option, or for external library members—should use a different Portfolio profile for this purpose.

  4. Click OK to save changes.

To add a CAS server definition to Web Services

  1. Log in to your Web Services Admin console.

  2. Click Single Sign On Setup.

  3. Click Add URL, then fill out the fields shown. For more information, see the corresponding topic in the Web Services Admin Online Help.

    Important: The URL that you enter here must match the CAS Server URL field value in Portfolio.

  4. Click Save, then contact SirsiDynix Customer Support to restart your Web Services application.

Related topics 

Managing patron authentication

Fields: Add/Edit/Copy Profile

Setting up SIP authentication

Setting up LDAP authentication

Setting up Web Services authentication

Editing an authentication server definition

Deleting an authentication server definition

Setting up CAS Single Logout