On Tue, Apr 2, 2013 at 7:37 PM, Frederico Guilherme Zveiter de Albuquerque <[email protected]> wrote: > Hi, folks! > > First of all, let me apologize for my bad english. > > I'm responsible for present a solution for implementing SSO in three sites > that composes the products on my company. During a meeting last week I've > presented Jasig CAS Server and CAS protocol as a possible solution and made > a little demo and they all liked but there were many questions that I could > not answer because my lack of knowledge in SSO and the short time I had to > do the presentation. > > I'm in need of help in order to create a comparison sheet that states about > CAS, Shibboleth, JOSSO and Picketlink on the following topics. > The statements should not be too deep, just suficient to support an overview > analisys between the solutions. > If anyone could contribute in any of the topics of any os the solutions I'll > be very grateful! > > Must have features: > > - Scalability > - Extensibility > - Adoption and use cases in production today (preferably in high > availability scenarios) > - Interoperability between Java, .NET, PHP and others. > - Look and feel customization of server's user interface. > - Communication protocols between identity provider and services. > - Communication protocols between identity provider and authentication > providers. > - Facebook as authentication provider. > - "Remember me" feature. > - Auditing and statistics. > - Suport for multiple domains and sub-domains services. > - Documentation. > > "Nice to have" features: > > - Use of login forms in services. > - Active community. > - Google integration (OpenID/SAML) > - JAAS integration.
CAS supports all of these. > > As a related subject, I'm (very) confused about the roles and features of > CAS and Shibboleth. In his blog post entitled "CAS and Shibboleth > Co-existing in Mutually Beneficial Harmony", Andrew Petro says that he sees > CAS as "a flexible and capable mechanism for the Web authentication of local > users." and Shibboleth as "the platform for federating that local Web > authentication and implementing formal standards", also, in Shibboleth's > about page, it is stated that this "federation stuff" is the title given to > the scenario where the identity provider and identity services are not > necessarily in the same organization. But I cannot connect this statements > to the techical facts. > > Can I say that a "federated" scenario is SSO applied to sites in different > domains (or sub-domains)? > Can I say that a "federated" scenario characterizes that the identity > provider should gather user informations in different organizations > (protected databases or directories)? > Doesn't the CAS server support authentication across multiple domains or > sub-domains? > What Andrew meant by "implementing formal standards", doesn't CAS support > SAML too? CAS is a robust enterprise WebSSO solution. Shibboleth is a robust SAML2 implementation. The combination of both provides and excellent platform for deploying enterprise WebSSO and SAML2. see: https://wiki.jasig.org/display/JCON/2012-06-14+Shibboleth+and+CAS+-+Even+More+Perfect+Together "federated" means different things to different people. In the simplest case it just means web-based authentication across administrative boundaries (e.g. organization authentication mechanism used to access some "cloud-based" service). CAS is capable of this via CAS protocol and in a limited way using SAML2. Shibboleth is capable of doing this leveraging a fuller spectrum of SAML2 profiles. "Federation" in a more robust case means the sharing of metadata, policy, attribute definition, etc across a multitude of Identity Providers and Service Providers. The InCommon Federation for U.S. based education and research is an example. see: http://www.incommon.org/about.html CAS is a good choice if you simply integrating three web applications together via WebSSO and expect users to authenticate via Facebook or service specific credentials. Best, Bill > > Please, help! > > Thank you very much! > > Frederico Zveiter > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
