If you're grouping your services because of the restrictions on username namespaces (which I believe you said that "admin" from group A is not the same as "admin" from Group B) then you shouldn't do SSO across Group A and Group B. SSO should be restricted to apps in Group B or apps in Group A, meaning that you should have a CAS server for each group.
CAS assumes that you've solved your username namespace problem and that you can uniquely identify a person. On Wed, Jun 3, 2009 at 9:07 AM, Marvin Addison <[email protected]>wrote: > > Group A > > - www.serverA.com > > - www.subServiceAA.com > > - www.subServiceAB.com > > > > Group B > > - www.serverB.com > > - www.subServiceBA.com > > - www.subServiceBB.com > > I'm uncertain whether phpCAS supports the renew flag, but I believe it > does. Assuming it does: > > www.serverA.com -> set up for proxying with renew flag turned on while > AA and AB proxy against A for SSO. Similarly for serverB. The > combination of proxy and renew is the key to accomplishing what you > want. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
