Authentication Using CAS

CAS is a single sign-on protocol for the web. It permits a user access multiple applications while providing user credentials, such as user id and password, only one time.
Web applications using the CAS protocol can be given user access without needing to access the user’s security credentials In the use case addressed by CAS, the user requests a service from the service provider (Alma in this case). The service provider requests and obtains an identity assertion from the CAS server. On the basis of this assertion, the service provider can make an access control decision. In other words, it can decide whether to perform a service for the connected user.
Before delivering the identity assertion to the SP, the CAS server will request some information, such as a user name and password, from the user in order to authenticate the user.
Alma supports the CAS 2.0 protocol. This enables Alma to exchange authentication and authorization information.

Login to Alma Using CAS – Workflow

  1. The user logs in to Alma with the following URL: <Alma domain>/CAS
  2. Alma redirects to the CAS server and sends an authentication request.
  3. The CAS server performs a single-sign-on check.
  4. If the user is not logged in to the CAS server, a login page is displayed (this is not the Alma login page, but the CAS login screen).
  5. After the user logs in, the CAS server redirects back to Alma with a CAS response, including a ticket for validation.
  6. Alma sends the validation ticket back to the CAS server.
  7. After validating the ticket, the CAS server sends ALMA a response XML.
  8. ALMA retrieves the user identifier from the response and logs the user in.


The CAS authentication workflow is illustrated in the following diagram:

Logout from Alma Using CAS

When you log out of Alma, Alma requests the CAS server to log you out of the external system. You are then automatically logged out of the external system, and redirected to the CAS logout page.

Defining the CAS Profile

To authenticate users using CAS, an integration profile must be defined. Only one active CAS profile can be defined per institution. In order to define the CAS integration profile, the only needed information is the CAS provider URL.
For further details on configuring the CAS profile, see Alma OLH.
CAS server requirements
  • The CAS server must be configured to allow access from Alma URLs.
  • SSL connections must be secured with a certificate issued by a recognized certificate authority. See the list here.