Skip to main content

CAS Migration Self Evaluation

Using the list of CAS application configurations for your department provided by the identity team, complete the following evaluation steps for each application.

Evaluation Workflow

Tip
Answer these questions before you begin:
  • Who is the business owner (i.e., who is responsible for the application and can authorize changes)?
  • Who can make SSO configuration change (i.e., who can do the technical work)?

1. Is our department responsible for this application?

  • No - Provide whatever information you can about the application and refer it back to the Identity team. [STOP]

2. Is the application still being used? Does it need to be migrated to Okta?

  • No - Notify the Identity team to remove the application's CAS configuration. [STOP]
  • Yes - Does the application still use the CAS service (either CAS or SAML protocol) for user authentication?
    • No - Notify the Identity team to remove the application's CAS configuration. [STOP]

3. Will the application be replaced before June 30, 2027?

  • YES - Notify the Identity team that the application does not need to be migrated and share the schedule for its replacement. Then notify the Identity when the application has been replaces so its CAS configuration can be retired.
Tip
Answer these questions before proceeding to step 4:
  • Are there business constraints (e.g., end/start semester) that limit when the change can be made?
  • Are there technical constraints (e.g., vendor lead-time, other system dependencies) that will delay the change?

4. Must something happen before the application can move to Okta?

  • YES - Schedule when the application will be moved and share that schedule with the Identity team.
  • No - Start work to move the application ASARP (As Soon As Reasonably Possible)

5. What user authentication protocol does the application use?

  • CAS - Move to OIDC (unless there's a compelling reason to move to SAML)
  • SAML - Continue to use SAML unless there's a compelling reason to move to OIDC.
Tip
Review the standard attributes/claims sets listed at https://identity.byu.edu/supported-authentication-attributes before proceeding to step 6.

6. Can the application's requirements for information returned in the user authentication response be satisfied with one of the standard attribute sets?

  • NO - Consult with the Identity team to determine how to move forward [STOP]

Tasks to Migrate Your Application to Okta after Completing the Evaluation

  1. Gather the remaining technical information for the Okta application configuration.
    • Redirect URLs: Login Redirect URL; Sign-out Redirect URL
    • SAML: Service Provider Identity ID (SAML metadata file URL)
    • Do you need localhost or 127.0.0.1? If so, at what ports?
  2. Work with the Identity team to obtain the non-production SSO credentials for your application.
  3. Migrate and validate the non-production version of your application.
  4. Work with the Identity team to obtain the production SSO credentials for your application.
  5. Schedule the production cut-over for your application and notify the Identity team so they can monitor the cut-over.
  6. Notify the Identity team that they can retire the old CAS configuration. If there is no notification, the Identity team will assume everything is fine and retire the old CAS configuration no less than two weeks after the production cut-over.