Single Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. In the context of Apply, SSO implementation allows clients to leverage their existing user authentication framework to permit and provision access to a Apply site. By the end of this document you will know how to set up such an integration using CAS protocol.
This document was created to assist SurveyMonkey Apply clients, SurveyMonkey Apply Implementation Specialists, and SurveyMonkey Apply Support Staff in setting up a CAS SSO integration with Apply.
There are 4 key entities to the SSO integration:
The user is an applicant or reviewer, who is trying to login and access Apply.
Is responsible for housing and validating a user’s sign-on credentials, as well as passing the approval notification to the authorized applications. It has a few main purposes:
The Application is the software or system, in this case Apply, establishing a trust relationship with an service provider and requesting user account provisioning from that service provider. It is also responsible for consuming information (attributes) that may be passed from the service provider
The protocol is what facilitates the integration between the service provider and the Application. It defines the handshake (sequence of events/data passing) for the integration.
SSO works by creating an integration between a client's service provider and Apply via the CAS protocol. The handshake passes along key user information, including the UID. The key role of the service provider is to verify, for Apply, that the users information is known, and correct account details have been provided.
With CAS integration there is a direct connection created between Apply and the service provider. When configuring the CAS integration with Apply, site administrators enter their CAS Service Provider URL into Apply. This URL is used to automatically redirect users to a CAS login server. Once the user inputs their credentials an authentication token/ticket is provided back to Apply approving the user's login to the Apply site. This ticket that is passed from the CAS login server contains some key user information such as the Unique ID.
Once Apply has received the user’s information, it proceeds to create an account for that user, if one does not already exist inside of Apply. If a user account in Apply already exists, Apply will match the user signing in to the already existing account using the email address that has been passed along from the service provider.
SSO integration using the CAS protocol can only be initiated by Apply, it cannot be initiated from the IdP. Apply’s CAS integration currently supports CAS 3.0 and up.
Due to the technical nature of implementing an SSO Integration, and the vast number of authentication services that clients can have, Apply requires there to be a technical expert on the client’s end who has a background or strong knowledge of SSO.