Arjohn,When I was on that project, we used "delegated authentication" in place of what CAS calls "proxy authentication." In the example in that diagram, the portlet makes use of the SAML ECP profile, in which ECP stands for "Enhanced Client or Proxy."
Adam Arjohn Kampman wrote:
Hi Adam, Thanks for your reply. I was able to find some more info, now that I'm having the right keywords. Shibboleth also calls this functionality "proxy authentication" on this page: https://spaces.internet2.edu/display/ShibuPortal/Home The sequence diagram on this page looks very similar to how CAS works. I think I prefer CAS over Shibboleth thanks to the (relative) simplicity of its protocol though. Just a quick check if I have the correct understandig of the terminology: - delegated authn: the use of an external service for authentication, a requirement for sso - federated authn: combining several authentication services as a single virtual service - proxy authn: a mechanism to access a service on behalf of a user or another service Does that look correct? Arjohn Adam Rybicki wrote:Arjohn,Yes, CAS is pretty unique with this feature. I have recently done some work actually using it, and it is powerful.SAML2 has a notion of "delegated authentication," which accomplishes the same thing in SAML. However, I don't know how many SAML IdPs actually implement it. I know that the open source Shibboleth IdP now has support for delegated authentication because I was somewhat involved in that project earlier this year.CAS proxy authentication has existed for years, and it is well understood.Adam Arjohn Kampman wrote:Dear CAS users, I'm currently investigating authentication option for a project that requires services to access other services on behalf of a user (aka"proxy" in CAS terminology), without direct contact between the user andthe "target". I have looked at various authentication options (oauth,openid, http auth, ...), but only CAS seems to offer this functionality.Am I missing something here? Is this kind of functionality so unique that none of the other protocols support it? This looks like a common usage scenario to me. CAS looks like a good option for my project, but I want to make sure that I'm not missing viable alternatives. I hope someone with a better overview of the field can give me some insight here. Kind regards, Arjohn Kampman
<<attachment: arybicki.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
