You've heard of CAS, but what is it? Really?
First, to clarify, CAS stands for Central Authentication Service. This is what allows campus users to login into multiple accounts and applications created by UC Davis and UCOP using our Kerberos ID and password. It's a great system for the fact that this means we use a 'Single Sign-On' (SSO) process; if you've logged in once today, chances are you won't have to log in again unless your session times out.
How does this affect your site in development?
Initially, it doesn't affect your site at all. The reason is that the SiteFarm team has already configured our domain space *.ucdsitefarm.acsitefactory.com or *.sf.ucdavis.edu to allow any site created in our service to automatically be covered by this security protocol. If you decide to use your site as an intranet and never launch it with a live URL, then this new protocol will never affect your site.
The only point at which this requires your attention is just prior to going live with your site.
When to add your site to the CAS Service Registry
The Security team has informed us that adding a new service to the Registry has about one business day turnaround time. How does this factor into your planning? Consider the following:
- If you request a site review: 1-2 business days for a response from SiteFarm
- Adding your site to the CAS Service Registry and assigning contact claims, and receiving confirmation: 1 full business day
- Submitting your domain association request to the SiteFarm team: less than 4 hours
- Submitting your CNAME assignment to the campus host clerk to make your site live: less than 4 hours
This means you should likely plan for a 3-4 business day process for launching your site. This process can occur faster as steps 2 and 3 can happen concurrently.
Additional notes
- You do NOT need to register your *.ucdsitefarm.acsitefactory.com or *.sf.ucdavis.edu URL, only your live domain. Example: https://sitefarm.ucdavis.edu.
- If you do not add your live site URL, you and your users will NOT be able to log in to make changes, though it will still be visible to the public.
- You are allowed to register more than one domain if needed. Example: sitename.ucdavis.edu AND www.sitename.ucdavis.edu.
Adding a Site to the Registry
The Security team has written up a detailed walkthrough in the Knowledge Base describing the steps for working with the CAS Service Registry. For your convenience, this is the link to the CAS Service Registry site.
What information to provide in your Registry entry for a SiteFarm site
If you need to add a new site or update an existing one, we want to share with you the information you'll need to provide when you create your entry using the instructions in the KB article. Fig. 1 is a screenshot of the entry used for SiteFarm's live site and is only an example. See the Fig. 1 description for the format specifically for your site.
Example entry:
Fig. 1
- Service URL: https://<yoursitename>.ucdavis.edu/.*
- Important: be sure to include the /.* at the end of the domain
- Service Name: <yoursitename.ucdavis.edu>
- Description:
- SiteFarm site (this identifies it as part of our service platform)
- <your department/organization>
- <List a couple of your primary contacts>
Set the Contacts
Becoming a primary contact for a website in the CAS Service Registry is very straightforward, but perhaps the more important consideration is who should be listed as a contact. If the answer isn't clear for your department, consider using your site role as a guide; list people who have a Site Manager role in your site as a contact.
Larger organizations may have a dedicated IT support system and these groups will likely want to take ownership of the Contacts option to be available in case a security concern arises that they would be best suited to handle.
Example of the contact list for SiteFarm. Note the Phone entry does not allow hyphens.
SSO or Duo?
The Advanced tab setting allows you to specify if your users should log in with just their Kerberos ID and password or if the Multi-factor Authentication application Duo should also be used to require another layer of security. Keep in mind that this login process is for the people working on your site content. Unless you see a need for two-step authentication, you can use the default SSO protocol.
Managing Stale Registry Information
The Security team understands that circumstances change, which is why every year all listed site contacts will be asked to verify their information for accuracy and validity via an automated message. Individuals who fail to verify during the timeframe allotted will be removed.
Need more help?
Please submit all support requests and issues pertaining to the CAS Service Registry to ithelp@ucdavis.edu for assistance.