Thanks, Aaron. Sorry. I seem to be having a hard time grasping the big picture.
Let's say that I have 10 separate systems that need SSO. I have a new CAS server. I have an empty LDAP server. I, Bradford, oversee the whole system. Sally Smith needs access to System1 and System 5 as an admin. How should her account be created so that she access to only these two systems. Now John Doe needs access to System 1 as a user (non-admin) account. How does John Doe get created? And how does Sally Smith give John Doe access to System 1 as non-admin account. Thanks, Bradford On Tue, Sep 27, 2011 at 2:19 PM, Aaron Fuleki <[email protected]> wrote: > If your apps are aware of the roles, who has which roles, and the > authorization rules for each role, then authentication doesn't really have > anything to do with it. The user's ID will be passed along with the CAS > ticket, and the app can look it up from there. > > If the app is _not_ aware of role membership, then you could always pass > that alongs as attributes, assuming your directory store (LDAP, AD, etc.) > has them in a readable, mappable place for CAS to access. The CAS wiki has > good stuff on setting up attributes. > > Your apps will still need to understand what each role is authorized to do, > obviously. CAS just establishes their identity, with some possible bonus > attributes. > > -Aaron > > On Sep 27, 2011, at 2:13 PM, bradford wrote: > > > I have a few web applications that I'm trying to tie in via CAS, but I'm > a little confused about the authorization, which I read CAS isn't supposed > to do. Yet, I see something like groups, but don't know what they are. > > > > Anyway, my scenario is pretty common, and is as follows: > > > > We need to restrict access to each of our apps that are going to support > SSO. Within each of our apps, there are roles. These roles are used to > prevent certain users from accessing various parts of the site. In addition, > admin users should be allowed to assign users access to the apps they are an > admin of. Also, an admin of one system may not be an admin of another > system. Is it possible to satisfy all of these scenarios with CAS? Or should > I be looking at a completely different type of SSO? > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
