Thanks to everyone who responded to this thread. Regards -Ram
On Thu, Nov 21, 2019 at 7:30 AM Andy Ng <[email protected]> wrote: > Hi Ram, > > Although other already answer, still want to charm in with some of my > opinion :) > > > Does CAS support both authentication as well as authorization? > Yup, at least the more modern CAS version support authorization. > > I don't know this is the standard way to do, but judging from the > document, we do it this way: > 1. Authenticate User > -let say, our user is *casuser *using LDAP > 2. Attribute Resolution for the user > - let say, by using JDBC, we can identify that casuser actually contain > an attribute role = admin > - Note: Some implementation can skip this step, and directly get user > attribute in step 1, which CAS is totally Ok with you doing that. > - As you see in the *principalAttributeList *property, LDAP can allow > you to get attribute in the same step of when you authenticate the user > https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#ldap-authentication > 3. Allow / Deny access based on Service Access Strategy > - For example, here: > https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Access-Strategy.html#enforce-attributes > - You can see that, unless the user have role = admin attribute, they > cannot access the service > - Hence, can authorize user based on their attribute, I think this is > called Attribute based access control, don't quote me on that :) > > > Which Database to use? I figured out LDAP supports authorizations but is > there some other db suggestions. > There are many technology supported, for example: > Above step 1: JDBC(e.g. Mysql, Postgresql), LDAP, several NoSQL (e.g. > MongoDB, Redis...), REST, and much more > Above step 2: You can see the list here: > https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#authentication-attributes, > all in all, very many choice > > *You can use multiple technology together in either or all steps, e.g. * > - Authenticate user using both JDBC, and LDAP > - Resolve attribute based on REST and MongoDB > Of course that probably would be overkill, but you get my point, it is > very flexible. > > Above which to use, I think is very much preference, I think that's why > there are so many options :) > > We have use multiple authentication before, including LDAP and JDBC, which > seems fast and reliable, no complain received after the deployment on PROD > using these technology. > We have tried REST, it is very slightly slower than just using LDAP or > JDBC, but every seconds count, so would recommend one of the native > approach if possible. > > > I am also curious to know the industry standard product for IAM & SSO? > If possible, please share the technical stack used for the same. > I am as curious as you do, if somebody else have more insight that's would > be great! > > > Cheers! > - Andy > > > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b263647-b213-4831-b6df-86f767b9b549%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b263647-b213-4831-b6df-86f767b9b549%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P-iF_RPmzL_%2BBPR-3oyyQ-%3DhNcO6W3dKJ5y%3DqSqEyo0HQ%40mail.gmail.com.
