CAS/SAML/SSO protected bookings

Since you are looking at the education market, and the higher education market, it would be neat (and lucrative) to provide the feature of protecting a booking page with CAS/SAML, which are the standard SSO mechanism in higher education.

This would allow an advisor, or faculty, or whatever to restrict bookings to university community members, using the standardized way. Right now, this would require setting up a password, and communicating this password to potential people signing up.

I think the easiest workflow for you would be to:
— Use CAS, Central Authentication Service (which requires little overhead, i.e., no XML metadata to exchange with remote institution).
— Ask individual users to do the legwork to add their institution.
— Make this a booking specific page setting, and make it so the username is a variable that can be used (for instance as passthrough in the booking form).

For context, for instance, at Princeton, we’ve had a “clone” of YouCanBook.Me for more than 15 years:

One of the main features is that it allows faculty to restrict to students.

Actually, one way to hack this together well with the current feature set would be to use a hidden or passthrough question:

I will look into creating a proxy redirection from CAS to YCBM that uses URL query parameters to set a hidden field.

Great suggestion for a workaround. We have discussed options for restricting bookings to certain parties. An email verification could be one way forward for this.

1 Like

@Ben I am actually thinking of writing a proxy service that can do the following:

  • Be provided with a YCBM URL + password.
  • Be provided with a university CAS server.
  • Be provided with the name of a short code to use for passthrough.
  • Create a link that logs users with the university CAS, redirects to the YCBM with a password and logged-in username as passthrough data.

If you are not planning to address this gap, or to address it soon, this would be an alternate way for education customers to secure or filter access to their booking calendars. Let me know :smiley:

We are using Okta (would use Okta preview instance for that) for SSO and would like to have the same option to protect booking pages. Also, user SSO is needed (3rd party iDP) as well with SCIM provisioning.

@avshch Thanks for your reply. We have had some preliminary discussions on building out functionality to work with tools like Okta. I will make sure the product team see your comment.