I don't understand your answer, but my questions are Can Central Authentication Service (CAS) do authorization and use LDAP ?I would like an example
2014-10-10 13:10 GMT+02:00 Marvin Addison <[email protected]>: > > I'm a little confused about the authorization, which I read CAS isn't > > supposed to do. > > CAS doesn't provide any support for centralized authorization policy, > but it can provide data to applications that support > application-specific authorization policy. We use the term "attribute > release" in the documentation for this feature. > > > Yet, I see something like groups, but don't know what they are. > > Where do you see this? It's common for CAS to load group membership > data for a user on authentication and give it back to services when > the service is authenticated to CAS. > > > Anyway, my scenario is pretty common, and is as follows: > > > > We need to restrict access to each of our apps that are going to support > > SSO. Within each of our apps, there are roles in LDAP tree. These roles > are > > used to prevent certain users from accessing various parts of the site. > > CAS could release the role data to the application and it would then > have to enforce the policy restrictions based on that data. > > > Also, an admin of one system may not be an admin of > > another system. Is it possible to satisfy all of these scenarios with > CAS? > > It sounds to me more like a requirement of the group/role data in your > system of record for user data. CAS can release whatever data for a > user you tell it to. Note, however, that it must be modeled as user > data. There's no way to ask CAS "what is the data for this user at > this particular this service." You load up all user data at > authentication time and return some or all of it to an authenticating > application when it talks to CAS. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
