Skip to main content
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    CAS-Based Single Sign-On/Sign-Off

    To configure a CAS integration profile, you must have the following role:
    • General System Administrator
    Alma supports CAS single sign-on using an integration profile, including ECAS. This enables a user to sign in or out of an external system and be automatically signed in or out of Alma, or vice versa. After signing in to Alma, you are redirected to your CAS page to sign in. When sign-in is successful, you are automatically directed back to Alma.

    Following Alma profile activation and third-party configuration, your institution’s support staff changes the Alma login shortcut to the following URL (see Your Alma Domain Names): https://<Alma domain>/CAS.

    If your institution requires the ability to authenticate with multiple CAS IdPs, create a CAS integration profile for each IdP. The Alma URL for a profile is /https://<Alma domain>/CAS/[profile code]. Alma uses the profile that is identified by the profile code. Using the URL without the profile code uses the CAS profile marked as the default.

    For a detailed overview of CAS-based single sign-on, see the Developer Network.

    If your production server and the sandbox use the same CAS service, Ex Libris recommends that you use the same authentication profile in both environments. In this case, no additional configuration of CAS is required on the sandbox after a sandbox refresh. If your production server and the sandbox use different CAS services, see Recommended Configuration to Account for Sandbox Refresh for more information.
    To add a CAS integration profile:
    1. On the Integration Profiles page (Configuration Menu > General > External Systems > Integration Profiles), select Add Integration Profile. The first page of the integration profile wizard appears.


      Integration Profile General Information Tab
    2. Enter profile information, specifying CAS as the Integration Type. Select Next. The Actions page of the integration profile appears.
      Integration Profile Actions Tab
      Integration Profile Actions Tab
    3. If you have multiple CAS profiles, you can select Default CAS profile for only one. This is the profile that will be used when the URL does not specify an idpCode. Enter the CAS Provider Host URL provided to you by your CAS provider. For questions on URLs, consult your institution’s support staff.
    4. Add the URL, as described above. The URL typically ends with /cas .
    5. If you are using ECAS and require additional parameters, enter them as a string. For example, assuranceLevel=LOW&ticketTypes=SERVICE. Parameters are:
      • assuranceLevel: TOP (default), HIGH, MEDIUM, LOW
      • ticketTypes: SERVICE, PROXY, DESKTOP (SERVICE,PROXY is the default)
      • proxyGrantingProtocol: PGT_URL, CLIENT_CERT, DESKTOP (no default)
    6. In the Logout Parameters field, enter your preferred logout URL. 
      If the Logout Parameters field is empty the logout URL defaults to:  /logout?service=
    7. When you are done, select Save.
    • Was this article helpful?