If your apps are aware of the roles, who has which roles, and the authorization rules for each role, then authentication doesn't really have anything to do with it. The user's ID will be passed along with the CAS ticket, and the app can look it up from there.
If the app is _not_ aware of role membership, then you could always pass that alongs as attributes, assuming your directory store (LDAP, AD, etc.) has them in a readable, mappable place for CAS to access. The CAS wiki has good stuff on setting up attributes. Your apps will still need to understand what each role is authorized to do, obviously. CAS just establishes their identity, with some possible bonus attributes. -Aaron On Sep 27, 2011, at 2:13 PM, bradford wrote: > I have a few web applications that I'm trying to tie in via CAS, but I'm a > little confused about the authorization, which I read CAS isn't supposed to > do. Yet, I see something like groups, but don't know what they are. > > Anyway, my scenario is pretty common, and is as follows: > > We need to restrict access to each of our apps that are going to support SSO. > Within each of our apps, there are roles. These roles are used to prevent > certain users from accessing various parts of the site. In addition, admin > users should be allowed to assign users access to the apps they are an admin > of. Also, an admin of one system may not be an admin of another system. Is it > possible to satisfy all of these scenarios with CAS? Or should I be looking > at a completely different type of SSO? > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
