Managing CAS Service Urls

Table of Contents

Overview 

Step 1 - Console Login and Navigation to Identity Providers

Step 2 - Navigation to CAS Services

Step 3 - Save a copy of your existing CAS Service URLs

Step 4 - Add, update, remove CAS Service URLs

Step 5 - Update needed configuration in Entra ID or Okta

Step 6 - Test your URLs (optional)

Step 7 - Test login for each service provider

Common Issues

 

Overview

The CAS Services page allows customers to manage their own allowed CAS service urls. Service url patterns may be entered directly as a url or as a regular expression. Regular expressions are preferred for organizations with many CAS service urls because they allow you to map many service urls to a single pattern. 

Additionally, the conditional access features allow you to customize the login requirements and attribute release settings for different service providers. The mechanism Cirrus uses for this is a suffix added to the CAS Bridge entity id, which informs the bridge of which application in Entra ID or Okta to redirect to. The configuration to do this involves mapping specific CAS service url patterns to suffixes which are appended to the default entity id for the CAS Bridge. 

Please use caution when modifying these patterns. Mistakes when editing or reordering service URL patterns are immediately applied to your Bridge and can be disruptive. We recommend that you save a copy of your CAS service urls before making any changes.

 

Step 1 - Console Login and Navigation to Identity Providers

Login to the Cirrus Console by clicking the “Cirrus Console” button from the Cirrus Identity website top navigation bar. Once logged in, select your organization from the list under “My Organizations”.

 

Select “Identity Providers” from the left navigation bar, and then your identity provider from the list of Bridges on the right. 

 

Step 2 - Navigation to CAS Services

Currently, there are two pathways to reach the CAS services screen depending on when your CAS Bridge was provisioned. 

 

Classic Navigation

If your CAS bridge was provisioned before August 2024, please click on “CAS Services” in the left navigation bar to reach the CAS Services screen.

 

Updated Navigation 

If your CAS bridge was provisioned after August 2024, you will come to a screen that first provides the summary of your CAS Bridge.

 

Scroll down to the bottom of the page until you reach the “CAS Config” section. Then select the “Manage CAS ServiceURLs” link. 

 

Step 3 - Save a copy of your existing CAS Service URLs

If you have existing CAS service urls, we recommend that you export a copy of the configuration before making any changes. Any mistakes when editing or reordering service URL patterns are immediately applied to your Bridge and can be disruptive.

 

Step 4 - Add, update, remove CAS Service URLs

Use the CAS Services screen to add, remove, and update CAS urls. Each login profile and set of attributes will have its own suffix. There is no suffix for the default.

 

Step 5 - Update needed configuration in Entra ID or Okta

Ensure that you have created an application in Entra ID or Okta for each suffix you entered in the CAS Service URLs screen. This is how the CAS Bridge knows which enterprise application to send the user to in order get the correct settings and attributes. An example of the mapping is shown below.

CAS Service URL Pattern 

(Regular Expression)

Suffix

Entra ID/Okta Application

Entity ID for Entra ID/Okta App

https?://apps\.campus\.edu/.*

(none)

Cirrus CAS Bridge - Default

https://auth.campus.edu/cas-bridge

https?://localhost(:.+)?.*

(none)

Cirrus CAS Bridge - Default

https://auth.campus.edu/cas-bridge

https?://campus\.eab\.com/.*

/banner

Cirrus CAS Bridge - Banner

https://auth.campus.edu/cas-bridge/banner

https?://(banner|orientation)(-test)?\.campus\.edu/.*

/banner

Cirrus CAS Bridge - Banner

https://auth.campus.edu/cas-bridge/banner

https?://payment\.campus\.edu/.*

/payment

Cirrus CAS Bridge - Payment

https://auth.campus.edu/cas-bridge/payment

 

Step 6 - Test your URLs (optional)

Cirrus provides a debug endpoint that you can use to verify that your CAS service urls are accepted and that the correct attributes are released. You can test each of your service urls with this process.

Start with the base url for your Bridge and add the serviceURL and debugMode parameters, i.e. https://campus-cas-bridge.proxy.cirrusidentity.com/cas/login?service=<<serviceURL>>&debugMode=true

Then go to a tool like https://www.urlencoder.org/ to encode the service url and replace <<serviceURL>> with the encoded url. For example, if the service url is https://apps.campus.edu, then your test url will be:

https://campus-cas-bridge.proxy.cirrusidentity.com/cas/login?service=https%3A%2F%2Fapps.campus.edu&debugMode=true 

Go to the url to validate that you are redirected to your Entra ID or Okta login screen and then the debug screen. On the debug screen, verify that the attributes are correct for the profile configured for the suffix for the Bridge you are testing.

 

Step 7 - Test login for each service provider

Once your CAS service urls have been configured in the Cirrus console, you can now configure and test your service providers using the CAS urls provided by your Cirrus Technical Implementation Lead.

 

Common Issues

There are some common issues that often come up with CAS Service URLs. These are the ones we know about so please review the list if you have a problem.  If you run into any issues not on this list, you can reach us at our support email.

 

© Copyright Cirrus Identity, Inc.

Blog comments