Hello We have an unusual situation. When we first used CAS, we thought we would restrict it to Ellucian Banner and use Shibboleth for all other authentications. However, as Banner keeps expanding, other product owners have opted for CAS over Shibboleth because an SP is not required.
Banner Products perform their own authorization once a user is authenticated. So, one of our Banner products (Self-service Banner) wants to allow expired users access. This is how they re-register and since UA campuses differ on when they expire accounts in AD, we can students not be able to log in to register after two weeks from semester end in some cases. We developed a second authenticator proxy that by-passes AD if authentication fails the first time. 3.4.2.1 handled this well. 3.5.2.1 throws the error for the expired user rather than rolling to the second authentication. We are accepting that some products (i.e., SSB) will allow expired users, while most will simply not allow them at all. If anyone has developed a template configuration that can funnel authentication based on target URL, I would be interested in seeing. Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 [email protected] | www.alaska.edu/oit/ -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
