All CAS does is provide a ticket asserting that someone really is who they say they are, and respond to subsequent validation requests to access services. That's the authentication bit (who are you?).
What you're asking about is authorization; when someone is allowed to do something, what those somethings are, and where those allowances are valid. There are lots of ways you could handle that, which is heavily dependent on how you handle identity management, service and account provisioning, etc.. Here are a few scenarios, all of which I think we have here at my university in one form or another. System1 may have its own, completely independent methods for creating users, assigning groups, and performing auth checks. All it uses CAS for is determining who you are. At login time, System1 would look at the userid on the CAS ticket, and query its own database to decide whether Sally is allowed in, if she's an admin, etc.. Once Sally's in, she would use System1's internal user management tools to setup John's account, make him an admin, etc. Our CMS works somewhat like this. System5 may use CAS for login, and also be configured to consume some custom attributes that CAS sends with its ticket. Maybe it gets a list of what groups the user is in. If System5 trusts that all valid CAS users are potential System5 users, then it might just provision accounts automatically at first login (our portal does that). If the group information that CAS provides maps directly to authorization levels (e.g., SYSTEM5_ADMIN, SYSTEM5_USER), then it could use that info for its auth checks (I think our wiki does that). Lastly, an application may use an LDAP system to determine authorization roles, or maybe use some other authorization broker (like Internet 2's Signet, which is defunct, so it's a bad example). We have some systems that are basically slaved the groups in an LDAP directory, which in turn derives its groups from our core ERP system. Does that help at all? -Aaron --------------------------------- Aaron Fuleki Senior Web Architect Denison University 740.587.5752 --------------------------------- -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
