Questions and Recommendations
RECOMMENDATIONS FOR SPECIFIC PLATFORMS
| Brightspot | Brightspot provides user authentication as a platform service. That means all Brightspot sites that have user authentication enabled will move when the platform moves from CAS to Okta. Application owners only need to confirm that their Brightspot site works correctly after the transition. |
| WordPress | Digital Humanities identified a Wordpress plug-in that provides an OIDC user authentication client that works with Okta. |
| Javascript/Node.js and PHP | A developer will need to integrate the module implementing the protocol through which the application will communicate with Okta. |
| Third-party Application | SSO support varies by vendor, but generally the SSO integration can be updated either with help from the vendor or by someone who can access the vendor's SSO configuration as a system administrator. |
QUESTIONS
-
Toggle ItemQ: How will users authenticate?
A: During 2026, the authentication screen presented to the user will be the CAS login screen. Okta federates logins to CAS, so the user experience of logging in won't change. During the first half of 2027, we will switch to using Okta's login screen.
-
Toggle ItemQ: What is Auth0? It looks like a step-brother to Okta. Do I need to sign up for an account?
A: Auth0 was purchased by Okta in 2021, so yes, they technically are step siblings. We recommend using libraries provided by either Okta or Auth0. Auth0 has a wider range of platform libraries (e.g., the okta website doesn't include PHP libraries, but Auth0 does). You should be able to download a library from either Okta or Auth0 without an account.
-
Toggle ItemQ: Do I need credentials to access login-mig.byu.edu/.well-known/openid-configuration ?
A: login-mig.byu.edu/.well-known/openid-configuration is public-facing and doesn't require any credentials. You can open it in a browser or make a GET call to it in Postman/Bruno/curl.
-
Toggle ItemQ: Will we be able switch back and forth between CAS and okta configurations as we test/verify things?
A: During development and testing of your custom applications, yes, you can switch back and forth. Once an application is in production though, there is no going back to CAS.
-
Toggle ItemQ: If we are already on SAML (via CAS) looks like we will just need to adjust some urls, correct?
A: If you are already using SAML (and wish to remain on SAML), you will need to adjust URLs. You man also need to adjust the attribute names in the SAML assertions. The new domains for the URLs will follow a pattern of https://login.byu.edu, and for non-prod, it will be https://login-cpy.byu.edu, replacing cpy with the non-prod instance you get assigned for testing out your applications.
-
Toggle ItemQ: If we are already on SAML, is there a need to migrate to OIDC? Is SAML eventually going away under Okta?
A: SAML is and will be fully supported by Okta for the foreseeable future. That said, the SAML spec is 20 years old and the standards committees have no plans to revisit/enhance/improve it. We strongly encourage custom applications to move to OAuth/OIDC.
-
Toggle ItemQ: The CAS library returns a list of attributes that includes memberOf so that we can determine the role of the user. Can the profile returned by Okta include group membership?
A: Work is currently underway to support groups on Okta. In general, that will mean support for application-specific groups (e.g., allowed users and application role groups). If you need group information that is not specific to your application, we encourage calling the Groups API to get a list of groups the authenticated user is a member of.