All good suggestions...thanks! I'll look into those as well as try to jump into the discussion on cas-dev.
Thanks again! Rich -----Original Message----- From: William G. Thompson, Jr. [mailto:[email protected]] Sent: Thursday, October 18, 2012 10:26 AM To: [email protected] Subject: Re: [cas-user] service grouping On Thu, Oct 18, 2012 at 9:28 AM, Marvin Addison <[email protected]> wrote: > On Wed, Oct 17, 2012 at 3:20 PM, Hadden, Rich <[email protected]> wrote: >> Good afternoon, >> >> >> >> I was wondering if there is any means by which (or possibly any >> future >> plans) to allow grouping or clustering of services for authentication >> or to provide different tiers of authentication without requiring >> multiple CAS instances. For example, I may want a user that signs >> into services a, b and c to be able to create proxy tickets for each >> other, but servicess d, e and f may have more sensitive data, but use the >> same credentials as a, b and c. >> Just because the user authenticates to application a, I don't want >> him to be able to login to d, e or f without being challenged for >> authentication again. There have been discussions in the past about implementing multiple WebSSO domains within an single CAS server instance (essentially scoped TGTs). That, coupled with the LOA work going on right now is probably what you need. Unicon was in talks with a potential adopter about implemented the multiple WebSSO domains, but that work never went through. There are some UX things to think through but the technical work seemed pretty straight forward. > >> This is the model that I'm being tasked with implementing and don't >> see any present support? > > I recall hearing a presentation about a university augmenting the > service manager to provide for centralized authorization. I don't > recall the details, but it likely would not address your needs > directly but it does highlight that it's possible to leverage the > service manager as a platform for implementing features like this. see: https://wiki.jasig.org/display/JCON/2012-06-11+Fordham+Goes+ABAC+for+CAS+-+Extending+CAS+with+Attribute-Based+Access+Control Best, Bill > > I would recommend you consider leveraging forced authentication > (renew=true) for services d, e, and f. While it doesn't provide for > centralized control of security policy, it would satisfy the > requirement for reauthentication to reach the more secure services. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
