The CAS clients don't necessarily need to support ClearPass - as long as
they support proxy tickets, they can get the user's credentials from
ClearPass.  Your app just needs to request a proxy ticket for the user and
then access https://cas-server/cas/clearPass on their behalf.  The response
will be an XML document containing the user's clear-text password:
<cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:clearPassSuccess>
        <cas:credentials>actual_password</cas:credentials>
    </cas:clearPassSuccess>
</cas:clearPassResponse>

Of the "official" clients, I think mod_auth_cas is the only one that
doesn't support proxy tickets - unfortunately, that's the client that makes
the most sense for this use case.  It would be nice to have the entire
ClearPass interaction handled by mod_auth_cas and then inject the
'Authorization' header into the HTTP request.  People spend big bucks on
solutions like BIG-IP and Microsoft UAG for similar functionality.

 -Eric

On Tue, Aug 28, 2012 at 12:15 PM, Nathan Kopp <[email protected]> wrote:
>
> I've been reviewing ClearPass and I'm finding a lot of good information
about the server side, but not much about support for the protocol in the
standard CAS clients.  What I'm hoping to find is an easy way to set up an
HTTP reverse proxy (similar to a software load balancer) that contains a
CAS client supporting ClearPass.  The reverse proxy performs CAS
authentication, retrieves the password via ClearPass, and then passes the
credentials to the proxied server via BASIC AUTH.  This would be a very
useful setup that could enable nearly drop-in CAS support for any
application that supports basic auth.  Is anyone doing this sort of thing?
>
> -Nathan
>
> --
> You are currently subscribed to [email protected] as:
[email protected]
> To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user




--
Eric Pierce
Identity Management Architect
Information Technology
University of South Florida
(813) 974-8868 -- [email protected]

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to