On Thu, Oct 18, 2012 at 9:28 AM, Marvin Addison <[email protected]> wrote: > On Wed, Oct 17, 2012 at 3:20 PM, Hadden, Rich <[email protected]> wrote: >> Good afternoon, >> >> >> >> I was wondering if there is any means by which (or possibly any future >> plans) to allow grouping or clustering of services for authentication or to >> provide different tiers of authentication without requiring multiple CAS >> instances. For example, I may want a user that signs into services a, b and >> c to be able to create proxy tickets for each other, but servicess d, e and >> f may have more sensitive data, but use the same credentials as a, b and c. >> Just because the user authenticates to application a, I don’t want him to be >> able to login to d, e or f without being challenged for authentication >> again.
There have been discussions in the past about implementing multiple WebSSO domains within an single CAS server instance (essentially scoped TGTs). That, coupled with the LOA work going on right now is probably what you need. Unicon was in talks with a potential adopter about implemented the multiple WebSSO domains, but that work never went through. There are some UX things to think through but the technical work seemed pretty straight forward. > >> This is the model that I’m being tasked with implementing and don’t >> see any present support? > > I recall hearing a presentation about a university augmenting the > service manager to provide for centralized authorization. I don't > recall the details, but it likely would not address your needs > directly but it does highlight that it's possible to leverage the > service manager as a platform for implementing features like this. see: https://wiki.jasig.org/display/JCON/2012-06-11+Fordham+Goes+ABAC+for+CAS+-+Extending+CAS+with+Attribute-Based+Access+Control Best, Bill > > I would recommend you consider leveraging forced authentication > (renew=true) for services d, e, and f. While it doesn't provide for > centralized control of security policy, it would satisfy the > requirement for reauthentication to reach the more secure services. > > M > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
