Frequently Asked Questions
About the CAS Application Migration Project
-
Toggle ItemQ: How will users authenticate?
A: For the next year or two, the authentication screen presented to the user will be the CAS login screen. Okta is federating logins to CAS. So the user experience of logging in won't change. At some point, we will make the switch to using Okta's login screen. So for now, NetId/password/Duo are the login credentials.
-
Toggle ItemQ: Do I need credentials to access ces-byu-migration.oktapreview.com/.well-known/openid-configuration ?
A: ces-byu-migration.oktapreview.com/.well-known/openid-configuration is public-facing and doesn't require any credentials. You can open it in a browser or make a GET call to it in Postman/Bruno/curl.
-
Toggle ItemQ: Is ces-byu-migration.oktapreview.com the Domain that Auth0 asks for?
A: At present, yes. The final domain will be login.byu.edu once in production.
-
Toggle ItemQ: What is Auth0? It looks like a step-brother to Okta. Do I need to sign up for an account?
A: Auth0 was purchased by Okta in 2021, so yes, they technically are step siblings. Some engineers like to use a library instead of hand-coding all the OAuth calls. Our team recommends using libraries provided by either Okta or Auth0. Auth0 has a wider range of platform libraries. The okta website doesn't include any for PHP, but Auth0 does. You should be able to download the library without an account.
-
Toggle ItemQ: The CAS library returns a list of attributes that includes memberOf so that we can determine the role of the user. Can the profile returned by Okta include group membership?
A; We won't be providing an equivalent memberOf attribute. The list of group memberships can get so large that we max out on field size. However, as the alternative, we encourage calling the Groups API to get a list of groups the authenticated user is a member of. The Groups API needs a BYU ID; so I have added the byu_id into the UserInfo endpoint for you.
-
Toggle ItemQ: If we are already on SAML (via CAS) looks like we will just need to adjust some urls, correct?
A: In theory, if you are already on SAML, and you choose to remain on SAML, yes, you will need to adjust URLs. The new domains will follow a pattern of https://login.byu.edu, and for non-prod, it will be https://login-cpy.byu.edu, replacing cpy with the non-prod instance you get assigned for testing out your applications. Note: the attribute names in SAML assertions may change in Okta.
-
Toggle ItemQ: If we are already on SAML, is there a need to migrate to OIDC? Is SAML eventually going away under Okta?
A: SAML is not going anywhere and is supported by Okta and widely used. That being said, the SAML spec is 20 years old and there are no plans to revisit/enhance/improve the SAML spec by the industry groups who manage such things. For custom applications, we highly encourage making plans to move towards OAuth/OIDC. Whether you move to OAuth now or in the future is up to you, and your discretion. Of our early adopters that have custom applications that were on SAML, they have all chosen to move to OIDC.
-
Toggle ItemQ: Will we be able switch back and forth between CAS and okta configurations as we test/verify things?
A: During development and testing of your custom applications, yes, you can switch back and forth. Once an application is in production though, there is no going back to CAS.
-
Toggle ItemQ: What SAML Assertions and Okta attributes are available?
A: By default, we plan to always returns SAML assertions and OIDC profile attributes of preferred_username, timezone, locale, and BYU UUID. Identifiers such as BYU ID, Worker ID, etc., or other needed attributes, are determined during the needs analysis prior to setting things up in Okta.