On Thu, Mar 14, 2013 at 10:39 AM, Lê, Hà Hong Viêt <[email protected]> wrote: > Hello, > > > > We are currently trying to setup a CAS server in order to manage > authentication for all ours services. > > > > We are also debating CAS’s perimeter : some would like to add some > information useful for authorization in the response after ticket > validation. > > > > For example : > > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > > <cas:authenticationSuccess> > > <cas:user>james.bond</cas:user> > > <cas:attributes> > > <cas:profile>super-user</cas: profile> > > <cas:group>007</cas: group> > > </cas:attributes> > > </cas:authenticationSuccess> > > </cas:serviceResponse> > > > > > > In my opinion, CAS’s attributes are not meant to be used for authorization. > I’ve read the protocol http://www.jasig.org/cas/protocol but I could find a > quote saying if CAS should or should not be use for authorization. > > Just this one quote : « In the case where one is using CAS for authorization > (probably a bad idea in the first place) ... », on this page > http://www.jasig.org/cas/client-integration/gateway > > > > Could somebody from the community give us his feedback please ?
While it is true the original CAS2 protocol was designed only with authentication in mind (i.e. lacked attributes), the addition of the CAS-SAML1 response, attributes in the CAS payload itself, and attribute support in various CAS clients has made CAS suitable for communicating various attributes (e.g. groups, roles, authorization, entitlements, etc). Policy enforcement is still the responsibility of the application (aka relying party) in this arrangement. More recently we've also seen course-grained access control being enforced at the CAS server itself via authorization configuration in the Services Registry. In this scenario users are denied or allowed access to Service Tickets for a particular app based on the value of some particular attribute. Unicon was engaged to develop this for Fordham University. http://www.youtube.com/watch?v=ci8NSy64gqE Best, Bill > Thanks ! > > > > Cheers, > > > > Hong Viet > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
