The CAS clients don't necessarily need to support ClearPass - as long as they support proxy tickets, they can get the user's credentials from ClearPass. Your app just needs to request a proxy ticket for the user and then access https://cas-server/cas/clearPass on their behalf. The response will be an XML document containing the user's clear-text password: <cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:clearPassSuccess> <cas:credentials>actual_password</cas:credentials> </cas:clearPassSuccess> </cas:clearPassResponse>
Of the "official" clients, I think mod_auth_cas is the only one that doesn't support proxy tickets - unfortunately, that's the client that makes the most sense for this use case. It would be nice to have the entire ClearPass interaction handled by mod_auth_cas and then inject the 'Authorization' header into the HTTP request. People spend big bucks on solutions like BIG-IP and Microsoft UAG for similar functionality. -Eric On Tue, Aug 28, 2012 at 12:15 PM, Nathan Kopp <[email protected]> wrote: > > I've been reviewing ClearPass and I'm finding a lot of good information about the server side, but not much about support for the protocol in the standard CAS clients. What I'm hoping to find is an easy way to set up an HTTP reverse proxy (similar to a software load balancer) that contains a CAS client supporting ClearPass. The reverse proxy performs CAS authentication, retrieves the password via ClearPass, and then passes the credentials to the proxied server via BASIC AUTH. This would be a very useful setup that could enable nearly drop-in CAS support for any application that supports basic auth. Is anyone doing this sort of thing? > > -Nathan > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
