I started a project like this in Filand :) I think the matter itself can be very complex if you are not familiar with part of them, but believe me, I moved from test to production last week in 2 hours reconfiguring everything from scratch. If you need help, we are here, this community is very active and very reactive to any request.
Stefano -----Original Message----- From: Pasi Kallioniemi [mailto:[email protected]] Sent: Tuesday, 01 June, 2010 15:20 To: [email protected] Subject: Re: [cas-user] CAS and autoauthentication (with AD) Stefano, this was an excellent explanation! It's surprisingly hard is to find an simple emptying explanation like this from the web. I would imagine that this described scenario is pretty normal with people working with enterprises. I think we will try this out, next thing is then to get all this configured :). Thank you for the help. Best Regards, Pasi Bracco Stefano wrote: > I forgot to add that in all this big design (probably this will clarify > all), Kerberos will continue to exist in your AD Domain, it is just one > of the two authentication types you will have to use authentication in > windows (Kerberos or NTLM, Kerberos is what Microsoft Suggest to use, > also for performance reasons), SPNEGO will be used to retrieve > credentials from the Windows machine, and they will be passed > automatically to CAS, which will be able to connect to AD (using an LDAP > client, so che AD is considered an Authentication Provider), check > authentication is still valid, retrieve your attributes (if any is > needed by the application), check if that service you are going to be > redirected is "CAS Enabled", in the case everything is positive, will > redirect you to the service adding information about your UserID and > eventually attributes. > By the way, obviously if are already logged in and you move to another > Web Site, no need to check credentials, the web site will redirect you > to CAS, the CAS system will give you back just another ticket in which > is saved the information that you have been already logged in via CAS, > and that you are granted to access to the other service, all these > operations will be transparent to you and to final user, which is > exactly what you need to have. > Anyway to implement the first test it took three days for mee, but not > get confused by all the terms, CAS is simple, reliable and very elegant > in the way it works, it is just a matter to have some building blocks, > in particular an Authentication Provider (AD), a store where we map > available and enabled services (we have oracle DB, but we could have > nothing), the CAS server, the client installed on the web site (usually > an httpModule or filter on a Web App). > > Let me know if you want to have more information. > > Stefano > > > > > -----Original Message----- > From: Pasi Kallioniemi [mailto:[email protected]] > Sent: Tuesday, 01 June, 2010 14:16 > To: [email protected] > Subject: [cas-user] CAS and autoauthentication (with AD) > > Hello all, > this maybe a newbie question but I have hard time finding a solution for > > our scenario. > Maybe someone here has pointers on is this possible to accomplish with > CAS (or am I totally lost :) ): > > Scenario: > - We have an user logged in company Active Directory network > - The company has multiple web systems to a be added under SSO. > - As the user is logged into his machine (and is authenticated to > company Infra network), the user would not want to input again > username/password to ANY login page. > - Insted the user would like to point his/her browser to some address > and get inside the system he wants. > - The authentication would be done automatically against the users > browser. > > We have accomplished the previous example for one system by doing some > windows integrated authentication (with IIS+windows authentication+IE), > but would like to have a more general way to have n-systems (on > java&.net platform) working like this. Perhaps one possibility is to use > > CAS? > > Questions: > - If I have understood correctly in the wiki, CAS can be integrated with > > for example for authenticating against AD, or some other source. So > adding n-systems under SSO and authenticate users against AD would be ok > > with a single login page. > > - But is it necessary always to have the CAS login page? Is it possible > to configure CAS to autoauthenticate user browser against AD? So the > user logged inside AD would point browser to > "https://caslogin.intra/?service=https://other_server/application1"; and > cas would authenticate the user and redirect to the actual application. > If this scenario is possible with CAS, what would be the configuration? > I'm a little bit lost with the need for such protocols as SPNEGO and > Kerberos (when would you use spnego or kerberos?). > > I hope that I was not too confusing with this question, and thank you > for any input. > > Best Regards, Pasi > > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
