Hello all,
I'm evaluating Apereo CAS for our company and I have a few features that I'd like to discuss. I have a list of features that seem to be possible with CAS, I'd just need a little guidance on how to choose appropriate extension points/protocols. We have a several customer-facing PHP web apps and then several internal protected PHP services. I'm looking for a central authentication service that we could integrate to our environment and bring in the SSO between the customer-facing web apps. *For existing customers, ability to authenticate during checkout process (product customisation) without leaving the form, before the order is submitted (AJAX, ROPC, iframe…)* At this point, it's not necessary to have SSO session, the application can authenticate user using REST or OAuth2 ROPC. It will leave user without SSO session, but that's fine for us during the checkout process. *We need a way for guests, to auto-create SSO session after submitting the order (auto-login after registration)* Fairly basic use-case, user just gave our webapp his credentials. We can leverage UMA to create a user, so far so good. But at this point we'd like to do a browser redirect to CAS domain to acquire SSO cookie and then back to choose payment method. The same mechanism that I'm missing here may be used for above scenario to convert webapp security session to a full SSO session after user submits order form. A chain of redirects can safely happen at this point. I have found a discussion https://groups.google.com/forum/#!topic/jasig-cas-user/_hxJtQA_KM4 where a user suggests https://github.com/epierce/cas-server-extension-token. Is this an officially recommended solution? Alternative approach I'm thinking about: Docs say <https://apereo.github.io/cas/4.2.x/installation/Configuring-SSO-Session-Cookie.html> that "What this means is, logging in to a non-SSO-participating application via CAS nonetheless creates a valid CAS single sign-on session that will be honored on a subsequent attempt to authenticate to a SSO-participating application." And that makes me think about leveraging REST protocol to webapp<->CAS user authentication. Once I got TGT, I store it securely in application session and once redirect can occur, e.g. user submits the form, I'd like to redirect user to CAS and let CAS use that TGT to create the TGC cookie. Is there a way? *Rate-limiting failed login attempts, counted per ip address and separately per username* Docs say that Throttling is supported, it just does not state whether it's possible to employ both strategies at the same time. *After user gets blocked out by reaching limit per username, allow them to unblock their account through email link sent their contact email address* Also I'd need a way to unblock the user. If the information about blocked user is stored in a datasource, I could unblock the user by over-writing the right piece of information from other service, but this does not sound right. *Geoip protection, allow whitelisting countries* I see some notes on adaptive authentication, but don't see any extension points here to provide per-user configuration. What would be the recommended way to deal with this? *Ip whitelist, allow only whitelisted networks, ip addresses* Same as above, adaptive authentication could be used, but the per-user configuration seems missing. *Ability to request a special email link to ublock the acount by altering security settings for the feature that caused the block (add ip address to whitelist, add country to whitelist, reset login-based failed attempts login limit)* I'd like to be able to create a standalone service, or extend CAS to provide this functionality. The former seems easier to achieve however I'm not sure whether there is a CAS-supported way to generate one-time time-constrained links that other service could send by email and validate later. *Forgotten password recovered through sms* *Forgotten login recovered by a matching phone number and sms code* As I understood from docs, CAS contains a limited management of user credentials and it is recommended to redirect user to a standalone application. That seems reasonable, could it be a user interface of our custom identity management service? *Authentication with API keys that allow our customers to manage our products via REST API (not a delegated authentication scheme, just a list of revokable, time-constrained API Keys per user)* At first it seemed to me that a JWT Authentication could be used, but since JWT can't be simply revoked, it's probably not the best fit, maybe something like a "service account" validated through REST Authentication would do? Any help is appreciated. Michael -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dbcf8210-006d-4196-9bda-1ef3bba20561%40apereo.org.