Thanks Stephan. Originally the requirement was to fallback to an alternative auth module. However, after the recommendation from you and Jerome, it sounds like a bad idea. So we are not in favour of the same.
Regards, Prasad From: Stephan Arts [mailto:[email protected]] Sent: 06 February 2015 14:57 To: [email protected] Subject: Re: [cas-user] designing a fallback authentication scheme Hi Prasad, I think that would be a good solution for what you are describing. I was under the impression you were referring to a fallback scenario in case your own CAS server was not available. Regards, Stephan On 06/02/15 09:50, Mahantesh Prasad Katti wrote: · Thanks Stephan and Jerome. The requirement is something like this. We have a product used by multiple customers. It is likely some of them have a CAS in their ecosystem and others may not. So we wanted to provide both modes of authentication. One way that i know we can accomplish is to define a parameter in the web.xml indicating if CAS is enabled or not. And present the appropriate login form. Do you think there is an better alternative? Regards, Prasad From: Stephan Arts [mailto:[email protected]] Sent: 06 February 2015 13:37 To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] designing a fallback authentication scheme Hi, I agree with Jérôme, the simplest and most robust solution is to have 2 (or in our case 4) CAS servers running in a cluster with a multi-master LDAP backend. Put a load-balancer in front of your CAS servers and you're done. Okay, on second thought... Maybe not the simplest, but it is very reliable. Regards, Stephan On 06/02/15 08:04, Jérôme LELEU wrote: Hi, I would not recommend to implement such a fallback mechanism on client side: it would be pretty complicated and you would lose all the benefits of a centralized authentication server (security, one link to the authentication source). Why not a failover with two CAS servers? It can be achieved pretty easily with a Virtual IP (http://linux-ha.org/wiki/Main_Page). In all cases, you must careful of your SPOF (Single Point Of Failure): is your LDAP resilient? Best regards, Jérôme LELEU Founder of CAS in the cloud: www.casinthecloud.com<http://www.casinthecloud.com> | Twitter: @leleuj Chairman of CAS: www.jasig.org/cas<http://www.jasig.org/cas> | Creator of pac4j: www.pac4j.org<http://www.pac4j.org> 2015-02-06 6:28 GMT+01:00 Prasad Katti <[email protected]<mailto:[email protected]>>: Hi All, we are using CAS authentication to implement SSO model. we are using the JSR 196 for the extending the JAAS authorization. As part of this we are also implementing a fall back mechanism in situations where CAS is not available. in situations where CAS is not available, we want to present a custom login form and authenticate the user against a pre-defined ldap realm. here's where we are having a problem. when the application redirects to cas application login, if ÇAS is not available, how to capture the same on redirection failure? one option is to check the connectivity by sending an HTTP Connect method to the server. we can then use the HTTP status code to determine if we have to invoke the fallback strategy. is there a built in way in cas that will accomplish the same? I am just trying to weigh different options. -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
