We're at a point in our CAS deployment where we'd like to start converting some of our existing applications to use it, and I'd appreciate some feedback on the best path to do so.
It seems there are two types of webapps under consideration, those that do no authentication at all on their own and rely entirely on web service based authentication, and those that have no web server authentication and implement auth entirely on their own. For web server auth, it looks like the only real solution is mod_auth_cas (https://wiki.jasig.org/display/CASC/mod_auth_cas) for Apache? Anyone currently using this that might be able to comment on how well it works, how reliable it is, etc? It looks like it doesn't support proxy authentication, but we only have one app that needs that. Does anyone know if this module works as-is under Apache 2.4? According to the docs, some 2.2 modules work fine under 2.4, while others require updates for certain changed API's. If the app is mod_perl based, or mod_perl can be added just for authentication, it looks like there are two options: http://search.cpan.org/~dcastro/Apache-AuthCAS/lib/Apache/AuthCAS.pm http://search.cpan.org/~jhitt/Apache2-AuthCAS-0.4/lib/Apache2/AuthCAS.pm Any opinion/consensus on which of these is better, and how they compare to mod_auth_cas? It looks like both of these support proxy auth, which makes them presumably beat out mod_auth_cas for that use case. For applications which do their own authentication, it looks like phpCAS (https://wiki.jasig.org/display/CASC/phpCAS) is the officially supported solution for php based apps? For perl based applications, I see there's only an unofficial client available (https://github.com/Unicon/cas-perl-client). The last update is over 3 years ago, and the documentation is a bit lacking. There are no better solutions for CAS via perl? We have one app that will need to do proxy auth, it's part of our idm infrastructure. The client facing front end is on a windows box, currently doing forms based auth and proxying the plaintext credentials to a mod_perl based web service via apache ldap authentication. To CASify this, our webapps group will presumably use the .net CAS client to authenticate the browser and then use CAS proxy auth to authenticate the end user to the web service. We are flexible on this as to whether the auth is done by the web server or integrated into the app itself. As mod_auth_cas doesn't do proxy auth, that is ruled out. Any thoughts on whether it would be cleaner to use one of the mod_perl based solutions to do the proxy auth at the web server level vs a perl CAS client in the application? Thanks much... -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | [email protected] California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
