Hi Matt. Thank you for your reply. This is encouraging. There is a difference in what I am considering in that there is no starting point within an intranet to the external services users wish to consume. My use case is simply a user in the wild navigating to one of my apps on the Internet and when they hit a page that requires authentication, redirecting for sign in but if they wish to reach another Internet app that I manage under another domain, they would already be sign in.
I happen to share a similar view of openid since virtually anyone that could set up a server could set themselves up as an identity provider with very little in the way of identity vetting. Further, openid does not mean unique id and a person may have any number of ids to serve their needs (somewhat contrary to the need it is destined to solve). So it is possible that people can have a work identity, personal identity, and of course an evil identity, etc. It will be interesting to see what the new year brings. Yahoo and other large sites are buying in. I can't see Yahoo doing anything deliberate to undermine confidence on the Internet. I will be interested to see how they handle their implementation - so will take a wait and see approach while I develop capability to use openid. I happen to think it will come down to white and black lists of identity providers in order to have some trust over who is utilizing your resources. In fact there there is software popping up to do just that which I will lookup domains much like geo ip location databases: http://www.mediawiki.org/wiki/Extension:OpenID It ultimately comes down to who you want to trust but even if this is more domains that your own, you've saved someone else the hassle of loggin in to your app. Regards, David Smith, Matt wrote: > The University of Connecticut is successfully using CAS with a number of > external vendor applications. So, in this regard, we are acting as the > "Identity Provider" to "Service Providers" all across the Internet. > This has been a very positive experience, as the extranet applications > can appear to be part of our service environment. > > Acting as a Service Provider, allowing OpenID authentication is > sufficient if you trust users to *each* be their own "Identity Provider" > -- but there are risks that need to be considered. My biggest one -- > how do you vet the identity of the user, and the security of their > OpenID provider? > > Running CAS as a single Identity Provider has very little cost, and the > benefits are centralized, well-vetted identity, maintained by > experienced system administrators. > > HTH, > -Matt > > > On Fri, 2008-01-18 at 13:11 -0400, David Pratt wrote: >> Hi. I am generally familiar with the use of CAS authentication for the >> intranets. As such I had not properly considered it for a larger >> Internet application. Can or should CAS be used in the wild for internet >> applications as single sign on? >> >> Overall, OpenID is emerging in this area as a potential generic >> standard. Despite this, I would welcome any insight in using CAS for a >> larger scale web application for Internet authentication. All the >> largest providers like Google, Yahoo, Microsoft all have their own brand >> of authentication - but the mechanisms are very CAS-like. >> >> If it can be used, anything things to watch out for, or anyone already >> doing this that can shed light on how it may be working. Any links to >> documents or blogs articles as reference would be appreciated. No lack >> of information on general mechanism of CAS on Google, just anything >> specific about using it as Internet single sign on. Many thanks. >> >> Regards >> David >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
