Integration CAS - Active Directory

Integration CAS - Active Directory

Single Sign-On in the Active Directory domain UGent.be

is provided for users of a UGent account in the following circumstances:

* These devices are installed via the rollout and included in the Active Directory domain UGent.be.

What?

You only need to log in once to access multiple applications and resources

Effects?

Exceptions

For your safety: do not leave your PC or laptop unattended!

  1. You can lock a Windows PC using 'Ctrl-Alt-Del'. Others can still log in to their own accounts from the login screen.
  2. When you stop working, you can log out of Windows; then all open apps are closed, but the PC is not turned off. Someone else can log in without restarting the PC.
  3. If you use Athena on other devices (which are not included in the Active Directory domain UGent.be) you must Log out. Click on Log out and choose 'Disconnect'.

Issues?

  1. You will see a pop-up login window instead of the regular CAS login page.

    Solution: By disabling 'automatic login' for your browser, a pop-up login window will no longer be shown. Instead you will see the CAS login page.

    1. Click on the following link: https://login.ugent.be/disable
    2. Close your browser.
    3. Restart your browser.
    4. Login now via the CAS login page.

    Note: if your Windows PC or laptop is NOT included in the Active Directory domain UGent.be, no Single Sign-On is possible.  In that case you cannot log in automatically, but with the instructions above you can disable the pop-up login window and replace it with the CAS login page.

  2. Single Sign-On does not work from your home.

    When you take your laptop home with you, you cannot log in (on Windows) to the Active Directory domain UGent.be. This is the intention, you cannot fix it. The integration between CAS and AD does not work here. VPN startup makes no difference here.

  3. You will not be logged out.

    When you log out of CAS:
    • by clicking on 'Log out' on the portal site (www.ugent.be)
    • or by clicking on 'UGent CAS logout' on Minerva (minerva.ugent.be)
    • or via https://login.ugent.be/logout
    and then close your browser completely, you are logged out until you open the browser again and visit these sites. At that moment you are automatically logged in again.
    Solution: You can disable 'automatic login' for your browser, see point 1.

COOKIES!

The automatic registration for a system that has been rolled out and is in the Active Directory domain UGent.be, is set up by means of the "NEGOTIATE_AUTOLOGIN_ENABLE" cookie.

When logging in (via the CAS login screen), it is checked (by a JavaScript) whether login.ugent.be is listed in the "Trusted Websites".

  1. If login.ugent.be can be found at the "Trusted Websites", and the PC/laptop is in the UGent Domain and browser is NOT started on Athena,
    then the "NEGOTIATE_AUTOLOGIN_ENABLE" cookie is set. As a result, no distinction is made between different browser settings.
  2. If automatic login is enabled, it will be checked whether it is an "allowed" browser (= Internet Explorer, Firefox, Chrome).
  3. If it concerns Internet Explorer or Firefox or Chrome, the "Trust" cookie is set, if it was not already present (eg when logging in for the first time).
    If the "Trust" cookie was already there, then you will be logged in automatically.

NO cookies are placed on Athena.

Enabling "automatic login" for your browser (setting "NEGOTIATE_AUTOLOGIN_ENABLE" cookie) can also be done as follows:

  1. Click on the following link: https://login.ugent.be/enable
  2. Close your browser.
  3. Restart your browser.

You can also disable "Automatic login" for your browser ("NEGOTIATE_AUTOLOGIN_DISABLE_PERMANENT" cookie) as follows:

  1. Click on the following link: https://login.ugent.be/disable
  2. Close your browser.
  3. Restart your browser.