By definition SSO (single sign on) is about authentication (identity management); that is, "is this person who they say they are". This requires a principal (username/email/whatever) and a credential (password/token/cert) to prove the subject's identity.
As to what the user should actually be able to do in your system, once they are authenticated/identified, by definition *must* be application specific. I suppose an add-on/plugin could be developed for CAS that allows deployers/developers to implement some CAS-supplied authorization realm/API, and perhaps that's what John's addition does, but authorization is solely about access management and answering the 2nd question of "ok, we know that this user is legitimate in our system, now, what do we want to allow them to do?" And this is really something that no SSO system should attempt to prescribe. ________________________________ From: John Gasper <[email protected]> Sent: Friday, January 23, 2015 11:41 AM To: [email protected] Subject: Re: [cas-user] Service management Historically CAS does not focus on authorization, that is left to the client applications. Unicon has developed an add-on [1] that can do some basic checking, but I don't know if it has been migrated to support 4.0 yet. You might be able to use it as an outline to help you. [1] https://github.com/Unicon/cas-addons/wiki/Role-Based-Services-Authorization --- John Gasper IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 1/23/15 1:38 AM, Yannick MOLINET wrote: Hi all, I have successfully configured a CAS Server 4.0.1 with two LDAP sources (one AD, one LDAP), with mod_auth_cas, mod_jk. I want to authenticate my users on two different webapp. In my point of view, I think to allow access to a specific webapp if the user is in correct group (grp_webapp1 or/and grp_webapp2). The two apps are publish like http://server/webapp1 and http://server/webapp2. Is it possible to grant acces to a webapp throw the CAS is the user is in a correct group ? Sorry for my poor english, Thanks, Yannick -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
