> My pain point is: When a new tenant "tenant3.com" is coming, I have to > add the new tenant into CAS configure file as below, and reboot > Tomcat/CAS to reload the CAS configure file. If I have 1000 tenants, > do I have to add 1000 entries into CAS configure file?
Here are the alternatives in order of my recommendation: 1. Use a single handler with searchBase="dc=com" (I realize the scope of the search may allow authenticating users in tenants that are not equipped for SSO, but I'm fairly certain you could leverage a user attribute to tag SSO capable users and craft a corresponding search query to filter them out.) 2. Develop a custom authentication handler that uses some simplified configuration to make it easier to include additional directory branches. 3. Do as you said: add a BindLdapAuthenticationHandler for each tenant as it comes online. Before you do _any_ of these you ought to consider the security consequences of what you are attempting to do. I assume from the sketch of your use case that that usernames are not globally unique since there would be no cause for uniqueness across tenants. (I assume each tenant corresponds to a distinct community such as an organization.) CAS requires globally unique usernames to provide security since clients receive the username exclusively by default, so clients are liable to be confused about which jsmith (a common English username) is meant when the service ticket validation response is received. You must send something globally unique to clients to identify users. For example, you might require the use of the SAML protocol to release a GUID attribute to clients in addition to username. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
