David, if it helps, there are multiple commercial entities that deploy CAS into production in the "wild" including Sony Online Entertainment and H.E.P. (I'm sure there are others too).
-Scott On Jan 18, 2008 4:24 PM, David Pratt <[EMAIL PROTECTED]> wrote: > Hi Matt. Thank you for your reply. This is encouraging. There is a > difference in what I am considering in that there is no starting point > within an intranet to the external services users wish to consume. My > use case is simply a user in the wild navigating to one of my apps on > the Internet and when they hit a page that requires authentication, > redirecting for sign in but if they wish to reach another Internet app > that I manage under another domain, they would already be sign in. > > I happen to share a similar view of openid since virtually anyone that > could set up a server could set themselves up as an identity provider > with very little in the way of identity vetting. Further, openid does > not mean unique id and a person may have any number of ids to serve > their needs (somewhat contrary to the need it is destined to solve). So > it is possible that people can have a work identity, personal identity, > and of course an evil identity, etc. > > It will be interesting to see what the new year brings. Yahoo and other > large sites are buying in. I can't see Yahoo doing anything deliberate > to undermine confidence on the Internet. I will be interested to see how > they handle their implementation - so will take a wait and see approach > while I develop capability to use openid. I happen to think it will come > down to white and black lists of identity providers in order to have > some trust over who is utilizing your resources. In fact there there is > software popping up to do just that which I will lookup domains much > like geo ip location databases: > > http://www.mediawiki.org/wiki/Extension:OpenID > > It ultimately comes down to who you want to trust but even if this is > more domains that your own, you've saved someone else the hassle of > loggin in to your app. > > Regards, > David > > Smith, Matt wrote: > > The University of Connecticut is successfully using CAS with a number of > > external vendor applications. So, in this regard, we are acting as the > > "Identity Provider" to "Service Providers" all across the Internet. > > This has been a very positive experience, as the extranet applications > > can appear to be part of our service environment. > > > > Acting as a Service Provider, allowing OpenID authentication is > > sufficient if you trust users to *each* be their own "Identity Provider" > > -- but there are risks that need to be considered. My biggest one -- > > how do you vet the identity of the user, and the security of their > > OpenID provider? > > > > Running CAS as a single Identity Provider has very little cost, and the > > benefits are centralized, well-vetted identity, maintained by > > experienced system administrators. > > > > HTH, > > -Matt > > > > > > On Fri, 2008-01-18 at 13:11 -0400, David Pratt wrote: > >> Hi. I am generally familiar with the use of CAS authentication for the > >> intranets. As such I had not properly considered it for a larger > >> Internet application. Can or should CAS be used in the wild for > internet > >> applications as single sign on? > >> > >> Overall, OpenID is emerging in this area as a potential generic > >> standard. Despite this, I would welcome any insight in using CAS for a > >> larger scale web application for Internet authentication. All the > >> largest providers like Google, Yahoo, Microsoft all have their own > brand > >> of authentication - but the mechanisms are very CAS-like. > >> > >> If it can be used, anything things to watch out for, or anyone already > >> doing this that can shed light on how it may be working. Any links to > >> documents or blogs articles as reference would be appreciated. No lack > >> of information on general mechanism of CAS on Google, just anything > >> specific about using it as Internet single sign on. Many thanks. > >> > >> Regards > >> David > >> _______________________________________________ > >> Yale CAS mailing list > >> [email protected] > >> http://tp.its.yale.edu/mailman/listinfo/cas > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Yale CAS mailing list > >> [email protected] > >> http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
