Hello, We are currently trying to setup a CAS server in order to manage authentication for all ours services.
We are also debating CAS's perimeter : some would like to add some information useful for authorization in the response after ticket validation. For example : <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>james.bond</cas:user> <cas:attributes> <cas:profile>super-user</cas: profile> <cas:group>007</cas: group> </cas:attributes> </cas:authenticationSuccess> </cas:serviceResponse> In my opinion, CAS's attributes are not meant to be used for authorization. I've read the protocol http://www.jasig.org/cas/protocol but I could find a quote saying if CAS should or should not be use for authorization. Just this one quote : « In the case where one is using CAS for authorization (probably a bad idea in the first place) ... », on this page http://www.jasig.org/cas/client-integration/gateway Could somebody from the community give us his feedback please ? Thanks ! Cheers, Hong Viet -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
