What is Single Sign-On?
Single Sign-On is a service which allows users to provide their username and password once to a trusted service and to have their identity securely, consistently and seamlessly provided to many web applications.
Authentication to Single Sign-On requires you to provide your UOB username and password. If you are unsure about your username and password please refer to the IT Services documentation on Registration and passwords for IT services. If you are still unsure, please contact the IT Service Desk.
All members of the university with a UOB username and password can use SSO to authenticate. Web applications that make use of Single Sign-On for authentication may not be accessible to all UOB users. Whether an individual has access to an application is dependent on the nature of the application and the identity of the individual.
Logging in to SSO
Before entering your username and password into the University's SSO login form you should check that the web address of the page being displayed begins with "https://sso.bris.ac.uk/sso/". The "Check the URL" box on the login page reminds you to do this. The reason for checking the URL is to make it more difficult for a malicious person to fool you into supplying your username and password by setting up a page that looks like the university's SSO login page. By routinely checking the URL of the login page you help to reduce that risk. This is especially important when logging in to services that you have not used before.
You should be very wary of any web page that asks for UOB username and password and should always take steps to be sure that the application is what it claims to be and that it has a legitimate reason for asking for your password. Sites should have a URL begining with "https://" (meaning that they encrypt network traffic) and you should recognise the server as being on the bristol network (server name should end with .bris.ac.uk). A site whose servername does not end "bris.ac.uk" is highly unlikely to have a legitimate need for your password and you should not proceed. Even sites within the bris.ac.uk domain should not be trusted unthinkingly.
If you login to SSO to access one application and then try to login to a second application, the Single Sign-On facility will mean that you won't need to retype your password. If the "Please warn me ... " checkbox is left unchecked, you may not even notice that your browser pops off to the SSO service before coming back to the second application. At first, this behaviour can seem quite disconcerting and a little like 'magic': somehow the second application just 'knows' who you are without you needing to tell it! Checking the "Please warn me ... " checkbox causes the SSO service to display a screen before it redirects you to back to the second application, dispelling the 'magic' and making what's happening a lot clearer.
Logging out of SSO
You can logout of SSO by visiting https://sso.bris.ac.uk/sso/logout. Closing your browser will also log you out of SSO. It is very important that you log out of SSO when you have finished using the computer, particularly if the computer is in a public place. If you don't logout then subsequent users of the computer may be able to access many applications as you, even if they weren't the applications you were using. Completely shutting down your browser by closing all the browser windows is the safest way to to ensure everything is logged out.
What's behind SSO?
The Single Sign-On service is provided by an instance of Jasig's CAS software. Documentation is available from Jasig about the protocol CAS uses to provide authentication services.
When it needs to check usernames and passwords are valid, the Single Sign-On system references the same authentication system as used for access to general computing facilities (UOB AD domain). Once a user has logged in, SSO maintains a session for that user. This allows SSO to assert the user's identity to web applications for the duration of that session, providing 'single' sign-on within that browser session.
The Single Sign-On system needs to "remember" which user is logged in to a web browser so that it can inform applications when they request authentication. SSO achieves this memory by use of a small file - a "cookie" - containing a randomly generated string of letters and numbers. This session cookie (named "CASTGC") allows SSO to recognise a browser as it visits the SSO pages multiple times and therefore to know which user logged in. The session cookie is normally deleted by browsers when they are closed. SSO will also end a user's session after a long period of inactivity, even if the browser remains open.
SSO uses a second cookie (named "JSESSIONID") to help make the submission of usernames and passwords secure. The cookie (like "CASTGC") is configured to be removed by browsers as they are closed but the life of these sessions on the server is limited to a very short duration (typically 5 minutes).
Registering an application to use SSO
If you wish to make use of SSO for authentication to a web application please raise a request with the IT Service Desk. Applications must have their URL registered with SSO before they are able to make use of the service.
SSO currently makes no provision for supplying authorisation information to client applications. All that SSO delivers to client applications is a user's UOB username. Responsibility for determining user authorization remains with the application.
Jasig maintain a number of CAS clients (Java, PHP, .Net and Apache) suitable for use with SSO. The protocol is relatively simple and is reasonably easy to re-implement in other web technologies if no existing client exists.