Retiring of login.kth.se and the CAS-Protocol
Retiring of login.kth.se and the CAS Protocol
In February 2006, a central login service, login.kth.se, was introduced at KTH based on the CAS protocol. This service has been used by internal and external applications for authentication of KTH users.
Since KTH has not invested in further development of the existing CAS service (login.kth.se), the current solution does not support more modern protocols such as SAML 2.0 or OpenID Connect requested by developers, external services and applications used at KTH.
We also have no opportunity to further develop the existing service to support the new protocols requested in the existing service, and that modern versions of CAS no longer support functionality that we use in the current environment and we would need to re-implement that functionality.
One of the problems we have with today's solution is that it has been difficult to convince external suppliers to use CAS for login as it requires major customizations of their applications.
What do we want to achieve with the switch
- Support modern standardprotocols like OpenID Connect or SAML 2.0 for applications and services we aquire for KTH.
- Retire the CAS-protocol for login in at KTH.
- Gain better control over what information is sent out to applications by implementing attribute-level information classification issued to applications.
- Introduce requirements for registration of applications that use the login service in order to better support law requirement (like GDPR).
- Introduce MFA/2FA for employees for more robust account security and minimize account hijacking.
What will replace login.kth.se
The existing CAS-based service will be replaced with the existing solution used today for login.ug.kth.se.
We have used this solution in production in parallel with login.kth.se in recent years to provide access to external services such as Adobe Cloud, Slack and Microsoft 365.
What will replace the CAS-protocol
We will replace the CAS-protocol with SAML 2.0 and OpenID Connect.
You can read more about SAML 2.0 on the following page, https://en.wikipedia.org/wiki/SAML_2.0.
You can read more about OpenID Connect on the following page, https://openid.net/connect/.
When will login.kth.se be retired?
The retiring of login.kth.se will take place on 1 June 2021.
The following requirements are placed on services / applications that want to use the login services?
For external services the following requirements must be met:
- A valid agreement must exist between KTH and the supplier.
- A risk and vulnerability analysis has been carried out for the service.
- A reviewed GDPR DPA (Data Processor Agreement) agreement between KTH and the supplier.
For internal services, the service must comply the requirements according to the policy for self-administered computer systems .
What do I need to change in my application?
To be able to use the KTH's login service you need to do the following two things
- Register your application for approval via the registration form
(the registration form will be made available on 19 January).
- After approval, migrate their application from using the CAS protocol to using the SAML 2.0 protocol or OpenID Connect protocol.