OAM will see all of the applications secured by CAS as one application, so the centralized authorization/auditing probably isn't as useful. In your OAM logs, you'll see that a user authenticated to CAS, but without parsing the actual URL that was used, you won't be able to identify which CASified application was being accessed. I had the same issue with CAS-protected Shibboleth (all Shib applications just showed up as a generic Shibboleth URL), so I just wrote a Bash script to parse the actual service from the Shibboleth logs and feed the data back into the CAS audit database. You may be able to do something similar to get the CAS logs into OAM for auditing, but I expect the centralized authorization would be *really* hard, if not impossible.
OAM is a great solution for enterprise applications that were made to use it (i.e. Oracle/PeopleSoft applications), but it just doesn't seem flexible enough to deal with the various services a typical HigherEd institution has to work with. As an example, we have about 130 production CAS services on multiple platforms and written in just about every programming language you can name. I don't think you'd see the same type of support with OAM. -Eric On Mon, Sep 24, 2012 at 1:23 PM, Scott Spyrison <[email protected]> wrote: > Hi Bill, Bertrand, Scott, > > First, thanks for the replies. I definitely hear you loud and clear on the > added complexity and infrastructure overhead with anything Oracle. > > I love the flexibility of being able to CASify applications in addition to > containers, and OAM is much more geared (out of the box) towards securing > web servers. I also did a quick count of vendor applications we have either > in-house or in the cloud, and came up with 5 that support CAS, 0 that > support OAM, and 1 that might support OAM with significant work. In other > words, having CAS in our environment makes a great deal of sense. > > The OAM features that make me consider the additional complexity of > integrating CAS with OAM are mainly centralized authorization policies, > auditing and reporting. There are fuzzier less specific ideas surrounding > integration with other Oracle products like OIM and their Federation > product. > > Appreciate the discussion and questions - I'm exploring the idea, but not > married to it. Seems like Oracle could solve my problem by implementing > the CAS protocol in their suite :-) > > best, > scott > > On Mon, Sep 24, 2012 at 9:17 AM, William G. Thompson, Jr. < > [email protected]> wrote: > >> Hi Scott, >> >> Can you be more specific on features of OAM you are looking to >> leverage? What are the features/use cases that OAM is covering that >> you won't get out from a simple CAS deployment? >> >> Best, >> Bill >> >> >> On Sun, Sep 23, 2012 at 5:18 PM, Scott Spyrison <[email protected]> wrote: >> > Hello, >> > >> > We are designing towards a number of identity and access initiatives, >> one of >> > which is CAS. I have a bit of a happy problem with CAS and Web SSO, and >> > would welcome any comments/feedback from the list. >> > >> > CAS is basically synonymous with higher education at this point, and I >> want >> > it in our environment. It is supported by a number of vendors that we >> use, >> > and it is a very elegant way to handle Web SSO for applications across >> the >> > University. My happy problem is that we also have a license for Oracle >> > Access Manager vis a vis a converted Sun license, and if possible I >> would >> > like to leverage OAM and related auditing capabilities in addition to >> CAS. >> > >> > I have reviewed a number of posts on this list about whether CAS can be >> > "fronted" by something else, or whether CAS can trust or delegate >> > authentication to another IdP. I reviewed one specific post that said >> CAS >> > could be used more like an application as opposed to an IdP, configured >> with >> > the Trusted Authentication Handler, and fronted with an SP >> > ( >> http://jasig.275507.n4.nabble.com/Integrating-a-SAML-2-0-IdP-with-CAS-td254116.html >> ). >> > >> > This led me to believe the same might be possible with OAM, for example: >> > >> > 1) Install Tomcat with CAS, front with Apache and mod_proxy or similar. >> No >> > direct access to Tomcat, only through proxy. >> > 2) Configure CAS for Trusted Authentication. >> > 3) Secure Apache with OAM, thereby securing CAS. >> > >> > Conceptually, CAS is like an application in this model, and it is >> secured >> > with OAM's Apache module/WebGate. Seems like it should work but I won't >> > have much confidence until I can run through an end-to-end proof of >> concept. >> > >> > Has anyone else integrated CAS and OAM, and if so would you be willing >> to >> > share any design or implementation details with me? >> > >> > best, >> > scott >> > >> > -- >> > You are currently subscribed to [email protected] as: >> > [email protected] >> > To unsubscribe, change settings or access archives, see >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
