What the new CAS Service Registry means to you
The campus is increasing its security profile by registering any site that needs CAS to log in using the CAS Service Registry. This will add a site to an approved, official white-list, require a site to use https://, and improve overall security performance by only including sites that truly need it. That's great news. Let's go over what this means to you as a SiteFarm user.
You've heard of CAS, but what is it? Really?
First, to clarify, CAS stands for Central Authentication Service. This is what allows campus users to login into multiple accounts and applications created by UC Davis and UCOP using our Kerberos ID and password. It's a great system for the fact that this means we use a 'Single Sign-On' (SSO) process; if you've logged in once today, chances are you won't have to log in again unless your session times out.
How does this affect your site in development?
Initially, it doesn't affect your site at all. The reason is that the SiteFarm team has already configured our domain space *.ucdsitefarm.acsitefactory.com or *.sf.ucdavis.edu to allow any site created in our service to automatically be covered by this security protocol. If you decide to use your site as an intranet and never launch it with a live URL, then this new protocol will never affect your site.
The only point at which this requires your attention is just prior to going live with your site.
When to add your site to the CAS Service Registry
The Security team has informed us that adding a new service to the Registry has about one business day turnaround time. How does this factor into your planning? Consider the following:
- If you request a site review: 1-2 business days for a response from SiteFarm
- Adding your site to the CAS Service Registry and assigning contact claims, and receiving confirmation: 1 full business day
- Submitting your domain association request to the SiteFarm team: less than 4 hours
- Submitting your CNAME assignment to the campus host clerk to make your site live: less than 4 hours
This means you should likely plan for a 3-4 business day process for launching your site. This process can occur faster as steps 2 and 3 can happen concurrently.
What about sites that are already live?
If you've already launched your site, it's likely already on the list. BUT, we ask that you go and search for your listing because you will still need to add information to the site entry's Description and have the appropriate users submit a claim to it in order to be listed as a contact.
The Security team has written up a detailed walkthrough in the Knowledge Base describing the steps for working with the CAS Service Registry.
Updating or Adding a Site to the Registry
If you need to add a new site or update an existing one, we want to share with you the information you'll need to provide when you create your entry using the instructions in the KB article. Fig. 1 is a screenshot of the entry used for SiteFarm's live site:
Service URL: https://<yoursitename>.ucdavis.edu/.*
Service Name: <yoursitename.ucdavis.edu>
Description:
SiteFarm site (this identifies it as part of our service platform)
<department/organization>
<List a couple of your primary contacts>
Claiming a Site from the Registry
Becoming a primary contact for a website in the CAS Service Registry is very straightforward, but perhaps the more important consideration is who should be listed as a contact. If the answer isn't clear for your department, consider using your site role as a guide; list people who have a Site Manager role in your site as a contact.
Larger organizations may have a dedicated IT support system and these groups will likely want to take ownership of the Claim option to be available in case a security concern arises that they would be best suited to handle.
SSO or Duo?
The Advanced tab setting allows you to specify if your users should log in with just their Kerberos ID and password or if the Multi-factor Authentication application Duo should also be used to require another layer of security. Keep in mind that this login process is for the people working on your site content. Unless you see a need for two-step authentication, you can use the default SSO protocol.
Managing Stale Registry Information
The Security team understands that circumstances change, which is why every year all listed site contacts will be asked to verify their information for accuracy and validity via an automated message. Individuals who fail to verify during the timeframe allotted will be removed.