Hi Dave,
The solution is based on a new JSON-based Services Registry and some
custom logic in the login flow. The JSON services config specifies
which user attributes must be present in order to grant a service
ticket. If the user is unauthorized they get redirected to an
unauthorizedRedirectUrl.
The JSON looks like this:
"services":[
{
"id":"1",
"serviceId":"https://www.google.com";,
"name":"GOOGLE",
"description":"Test Google service",
"extraAttributes":{
"authzAttributes":{
"eduPersonAffiliation":["student_current", "alumni"]
},
"unauthorizedRedirectUrl":"https://www.google.com?q=un";
}
This says the user must have an eduPersonAffiliation of either
student_current or alumni, otherwise they get redirected to
https://www.google.com?q=un.
The JSON Registry is available here:
https://github.com/Unicon/cas-addons/tree/master/src/main/java/net/unicon/cas/addons/serviceregistry
Hopefully we'll have a session on this at the Jasig/Sakai conference in June.
Best
Bill
On Fri, Apr 13, 2012 at 4:41 PM, David Costrini <[email protected]> wrote:
> Hi Bill,
> I'm interested in seeing how Unicon/Fordham is implementing RBAC -- if
> you have any docs or samples and were willing to share, it would be
> greatly appreciated!
>
> Thanks,
> Dave
>
> On Tue, Mar 13, 2012 at 4:29 PM, William G. Thompson, Jr.
> <[email protected]> wrote:
>> Hi Ben,
>>
>> One way is to implement RBAC for CAS protected services by controlling
>> who can get STs for which services.
>> Fordham is implementing this now with help from Unicon. We
>> implemented this as a standard maven overlay extension to stock CAS
>> 3.4.11. Id' be happy to go in to more details if there is interest.
>>
>> By the way we implemented something similar for Shib IdPv2 last summer
>> in partnership with the University of Wisconsin - Madison.
>> http://events.internet2.edu/2011/fall-mm/agenda.cfm?go=session&id=10001976&event=1148
>>
>> Best,
>> Bill
>>
>>
>> On Tue, Mar 13, 2012 at 11:38 AM, Ben Branch <[email protected]> wrote:
>>> I have my CAS environment up and running. Serving only a few services at
>>> the moment and none of them are in production yet. So, now my question is,
>>> what is the easiest way to control access to the services? Since some
>>> applications create a user name on the application end upon logging in, do
>>> we want the application admin to control the access to these services? Or
>>> is there another way to do this that allows us to exert greater control over
>>> who uses the applications?
>>>
>>>
>>>
>>> Again, everyone’s help on here is greatly appreciated.
>>>
>>>
>>>
>>> Many thanks in advance,
>>>
>>>
>>>
>>> Ben Branch
>>> Sun Administrator
>>>
>>> University of Central Oklahoma
>>>
>>> ITIL Foundation v3, Network+
>>>
>>> 100 N. University Drive, Box 122
>>>
>>> Edmond, OK 73034
>>>
>>> D: 405.974.2649 | M: 405.550.6804 | [email protected] | www.uco.edu
>>>
>>>
>>>
>>> “If you wish to know your past, look at your present conditions. If you
>>> wish to know your future, look at your present actions.” - Siddhartha
>>> Gautama
>>>
>>>
>>>
>>>
>>> **Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue,
>>> and Green! Please print this e-mail only if absolutely necessary!
>>>
>>> **CONFIDENTIALITY** -This e-mail (including any attachments) may contain
>>> confidential, proprietary and privileged information. Any unauthorized
>>> disclosure or use of this information is prohibited.
>>>
>>> --
>>> You are currently subscribed to [email protected] as:
>>> [email protected]
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
