> Is this possible to do with CAS

Yes.


One way you could accomplish your requirements would be to add a new flow action to the CAS login flow.  After the authentication bit, a flow action would do the callback you describe, and shunt the flow to a suitable "You are not worthy" user experience if the user isn't authorized.


Traditionally, CAS is about authentication, not authorization.  Lack of authorization to use service A shouldn't, to my way of thinking, prevent a user from authenticating, establishing single sign on.  Application A's unwillingness to service a given user is application A's problem, and its user experience to provide, rather than CAS's.

Why arrest me during the CAS login workflow, interrupt my single sign on experience, after I've already done all the work of presenting valid credentials?

Instead, I would handle this requirement at application A, having it validate the service ticket, complete the authentication step, and then apply authorization  logic, supplying its own "You are not authorized" user experience.  Details of that experience may differ significantly from application to application.

*Why* am I not authorized?  ("You are not permitted to register for courses at this time as there is an immunization hold on your account.  Please click *here* to learn more about account holds and to learn steps to resolve this issue.") 

*What* am I still authorized to do?  ("I'm sorry, you are not a Cooperative Support subscriber at this time.  If you believe our records are in error, please call us at 1-800-XXX-XXX.  In the meantime, you are welcome to browse the public content of this site, including knowledge base articles and a description of the premium support program.")

As application complexity increases, authorization grows beyond a boolean to a matter of roles and privileges.  I'd look to Acegi, GAP, or the like to help me implement authorization and authorization user experiences within applications rather than within CAS.

But you can extend CAS to do this if you want to.

Andrew

Christian Haugen wrote:

Hi!

 

I have a general question about CAS and was hoping to get an answer before I invest too much time in something that may not work. I am planning on using CAS as a server that authenticates its user to two separate web services residing on different servers. Here is my scenario:

 

I have two web applications, A and B that have different user databases. I want to set up a CAS server that has the following functionality:

- When you go to A or B’s log on page you immediately get redirected to the CAS log on page. This log on page will be a simple page with just the logon functionality. If Bob for example want to connect to A and thus get redirected to the   

  CAS log on page I want the CAS server to send Bob’s log on information to server A for approval. If this information is correct then I want Bob to be redirected to A but also gain access to B, and vice versa.

 

I have seen the information on http://www.ja-sig.org/wiki/display/CAS/Using+CAS+without+the+CAS+login+screen but as far as I can understand from the guide it still lets the CAS server do the authorization. I have a loginsystem in place on server A that I wish to use so that the CAS server simply sends the login info to A and A replies with granted/not granted access.

 

Is this possible to do with CAS and is there more information about such a setup online?

 

Thank you in advance, my regards

 

Christian Haugen


_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas



_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to