We formerly used OAM in conjunction with CAS in the way originally suggested, by using OAM to protect our CAS server. The goal was to provide SSO between OAM and CAS-protected apps. Our assumption was that it would be easier to protected enterprise apps with OAM and then we could use OAM's coarse-grained authorization to add value to our Identity Management solution for enterprise apps.
In our experience, however, after running that combination for over 3 years, the only application that we ever protected with OAM was the CAS server. All other times when we attempted to install an OAM WebGate, we eventually came to the conclusion that installing a CAS client or using direct LDAP integration would be significantly easier to configure and maintain. Also, we discovered that really didn't have any need for OAM's authorization capabilities, since the applications all provided their own internal fine-grained authorization. (Some key examples are PeopleSoft, SharePoint, and Siebel.) Also, CAS was easier to integrate for all of our custom apps. After much evaluation, this past spring we completed a project to remove Oracle's suite from our identity management portfolio, and we have been happy using a combination of CAS, Grouper, and some custom web services. -Nathan From: Eric Pierce <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, September 25, 2012 9:48 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [cas-user] CAS and OAM Happy Problem OAM will see all of the applications secured by CAS as one application, so the centralized authorization/auditing probably isn't as useful. In your OAM logs, you'll see that a user authenticated to CAS, but without parsing the actual URL that was used, you won't be able to identify which CASified application was being accessed. I had the same issue with CAS-protected Shibboleth (all Shib applications just showed up as a generic Shibboleth URL), so I just wrote a Bash script to parse the actual service from the Shibboleth logs and feed the data back into the CAS audit database. You may be able to do something similar to get the CAS logs into OAM for auditing, but I expect the centralized authorization would be *really* hard, if not impossible. OAM is a great solution for enterprise applications that were made to use it (i.e. Oracle/PeopleSoft applications), but it just doesn't seem flexible enough to deal with the various services a typical HigherEd institution has to work with. As an example, we have about 130 production CAS services on multiple platforms and written in just about every programming language you can name. I don't think you'd see the same type of support with OAM. -Eric On Mon, Sep 24, 2012 at 1:23 PM, Scott Spyrison <[email protected]<mailto:[email protected]>> wrote: Hi Bill, Bertrand, Scott, First, thanks for the replies. I definitely hear you loud and clear on the added complexity and infrastructure overhead with anything Oracle. I love the flexibility of being able to CASify applications in addition to containers, and OAM is much more geared (out of the box) towards securing web servers. I also did a quick count of vendor applications we have either in-house or in the cloud, and came up with 5 that support CAS, 0 that support OAM, and 1 that might support OAM with significant work. In other words, having CAS in our environment makes a great deal of sense. The OAM features that make me consider the additional complexity of integrating CAS with OAM are mainly centralized authorization policies, auditing and reporting. There are fuzzier less specific ideas surrounding integration with other Oracle products like OIM and their Federation product. Appreciate the discussion and questions - I'm exploring the idea, but not married to it. Seems like Oracle could solve my problem by implementing the CAS protocol in their suite :-) best, scott On Mon, Sep 24, 2012 at 9:17 AM, William G. Thompson, Jr. <[email protected]<mailto:[email protected]>> wrote: Hi Scott, Can you be more specific on features of OAM you are looking to leverage? What are the features/use cases that OAM is covering that you won't get out from a simple CAS deployment? Best, Bill On Sun, Sep 23, 2012 at 5:18 PM, Scott Spyrison <[email protected]<mailto:[email protected]>> wrote: > Hello, > > We are designing towards a number of identity and access initiatives, one of > which is CAS. I have a bit of a happy problem with CAS and Web SSO, and > would welcome any comments/feedback from the list. > > CAS is basically synonymous with higher education at this point, and I want > it in our environment. It is supported by a number of vendors that we use, > and it is a very elegant way to handle Web SSO for applications across the > University. My happy problem is that we also have a license for Oracle > Access Manager vis a vis a converted Sun license, and if possible I would > like to leverage OAM and related auditing capabilities in addition to CAS. > > I have reviewed a number of posts on this list about whether CAS can be > "fronted" by something else, or whether CAS can trust or delegate > authentication to another IdP. I reviewed one specific post that said CAS > could be used more like an application as opposed to an IdP, configured with > the Trusted Authentication Handler, and fronted with an SP > (http://jasig.275507.n4.nabble.com/Integrating-a-SAML-2-0-IdP-with-CAS-td254116.html). > > This led me to believe the same might be possible with OAM, for example: > > 1) Install Tomcat with CAS, front with Apache and mod_proxy or similar. No > direct access to Tomcat, only through proxy. > 2) Configure CAS for Trusted Authentication. > 3) Secure Apache with OAM, thereby securing CAS. > > Conceptually, CAS is like an application in this model, and it is secured > with OAM's Apache module/WebGate. Seems like it should work but I won't > have much confidence until I can run through an end-to-end proof of concept. > > Has anyone else integrated CAS and OAM, and if so would you be willing to > share any design or implementation details with me? > > best, > scott > > -- > You are currently subscribed to > [email protected]<mailto:[email protected]> as: > [email protected]<mailto:[email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- [email protected]<mailto:[email protected]> -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
