ITS is planning to migrate Single Sign On (SSO) from the current Apereo CAS to Microsoft Entra ID, the same technology that powers many of today’s secure cloud services and the University’s email system. This change will make signing in simpler, more reliable, and secure.

Open

Open

Overview

SSO is being migrated to Microsoft Entra ID because it offers several important improvements over CAS. First, it provides better availability, meaning our login service will be more reliable and less likely to experience downtime. It also delivers stronger security protections to help safeguard accounts and personal information against evolving cyber threats. Entra supports advanced authorization features, allowing ITS and application owners to better control who has access to which resources. Finally, the platform makes it easier to connect new applications, so students, faculty, and staff can benefit from a wider range of tools and services with a consistent and seamless sign-in experience.

Approach

This transition is designed to be smooth, with minimal disruption for most users. Behind the scenes, ITS will be working closely with application owners to guide them through the process of migrating their applications to Entra and adding new functionality to CAS to ease the transition. Application owners will receive direct communication with instructions, timelines, and support resources to ensure their services are updated in a coordinated and efficient way.

Phases

Many major applications are already using Microsoft Entra for login. These applications include Microsoft 365 tools (Outlook, SharePoint, OneDrive, etc.), HuskyCT, and Webex. Only applications that use CAS for SSO will be in scope of this project. Application owners may choose to migrate their applications at any time by contacting the ITS Technology Support Center.

1. Planning

Currently, Entra login is being tested as a method of login to CAS itself while applications using CAS for SSO are being inventoried. Documentation, announcements, and project plans are being created.

2. Entra Login to CAS

Once ITS has completed testing, a new login option on CAS will be published for users with a uconn.edu email address. This new method will allow users to log into CAS-protected services using Microsoft Entra instead of typing their regular NetID and password. We expect this phase to further help familiarize users with Entra, as well as identify any applications that will not work with this method.

During this phase, a solution for supporting UConn Health and alumni logins will be developed, and applications that support these populations will be contacted for any necessary changes.

3. CAS Hidden Behind Entra

Once ITS is confident that Entra Login to CAS is functional for all applications and an alumni solution has been implemented, we will modify CAS to automatically redirect users to Entra for login for applications that do not require alumni support. This will effectively hide CAS from users, while not requiring applications to be modified. This will be the main “user impacting” phase of the project.

4. Application Migration to Entra

The final phase of this project will be migrating all of the remaining applications to the new Entra SSO solution. There are hundreds of applications currently using CAS for authentication, so this will be an ongoing effort. ITS will prioritize critical applications so they get the benefits of using Entra as soon as possible.

Information for Application Owners

If you would like to migrate your application from CAS to Entra, please contact the ITS Technology Support Center and create a ticket with the Accounts and Access team. During the migration, we will also help identify and limit which populations use your application and discuss options for ongoing access management.

If you have any questions about this project, please contact the ITS Technology Support Center.