Hi Marvin,
you are right in pointing out this. Sometimes I forget about the
decentralized nature of CAS. I will use just the SAML attributes, that I
had already tried successfully in some previous testing of the system.
Thanks,
Giuseppe
Marvin Addison wrote:
1) is it possible to use ldap groups in cas as a way for limiting/allowing
user access?
It sounds like you are describing a centralized authorization system,
for which CAS has no direct support. The CAS authorization model is
decentralized where services are responsible for making their own
authorization decisions. CAS can facilitate authorization by
providing data via the SAML attribute release feature,
http://www.ja-sig.org/wiki/display/CASUM/Attributes.
It's straightforward to send group membership data from your LDAP via
attribute release and let your CAS-enabled services make authorization
decisions. We do this and it works splendidly.
2) is it possible to define user exclusion lists?
Again, this is a concern for each CAS-enabled service.
M
--
____________________________________
Giuseppe Sollazzo
Systems developer and administrator
Computing Services
Information Services
St. George's, University Of London
Cranmer Terrace
London SW17 0RE
Email: [email protected]
Direct Dial: +44 20 8725 5160
Fax: +44 20 8725 3583
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
