Hi Pietro, With the .NET CAS client, anyone who can authenticate against your LDAP passes the authentication step. User.Identity.Name contains the username that authenticated against the LDAP server after the redirect to the CAS server. In academic environments, this potentially includes students, faculty, staff, etc.. For apps where I need to restrict access to one or more of those groups, I generally use an ASP.NET RoleProvider that deals with restricting the total pool of users down to the users who are authorized to access the site. For example, an app that is for faculty/staff only will put faculty and staff in the 'Users' role and students won't be assigned any roles. Your app can be configured to require that everyone be in the 'Users' role to access anything on the site.
These check is typically done against a database (see SqlRoleProvider, OracleRoleProvider, etc.), but could be a flat file (ReadOnlyXmlRoleProvider). It's relatively straightforward to write a custom role provider (http://msdn.microsoft.com/en-us/library/8fw7xh74.aspx). If you decide to go that route, pay close attention to which exceptions to throw. The providers are shared among all requests, so pay attention to the thread safety blurb at the end. This might be a viable option if you want your ASP.NET app and PHP app to share the same subset of users. I use CAS for authentication only (i.e., are you who you say you are?). The RoleProvider provides support for authorization (i.e., are you allowed to access this resource?). Depending on how your PHP application was written, you may be able to take the same type of approach in PHP without major surgery. -ScottH -----Original Message----- From: Pietro [mailto:[email protected]] Sent: Wednesday, July 06, 2011 2:30 AM To: [email protected] Subject: [cas-user] CAS Best Practice with multiple web application Hi, I would like to know if is there any advice or best practice for using CAS in this scenario: I've, at least, two web application WebApp1 (ASP.NET) and WebApp2 (PHP) that have its own user database, so if I need to use CAS as SSO and get User Authenticated in Both Web Application when it does Login in one of them, what's the best practice: have One single user database or LDAP for two WebApp or every WebApp has it's own user database and use proxy auth or use multiple authenticationHandlers. Thanks in advance. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
