Hey Scott. Many thanks for your reply. I was continuing my research this evening and found H.E.P and visited their site to check it out just prior to receiving your mail. Was not aware of Sony. I was also making some comparisons between Yahoo's authentication and CAS. They seem too similar :-) Here's a nice general link describing sso by the big guys:
http://www.linksbusinessgroup.com/blog/2007/07/30/how-web-giants-provide-single-sign-on-services-to-users-2/ In any case, I have plenty of confidence in the solution and I have been aware of the heavy use made of cas in institutions. I'll likely use NGINX in front of tomcat so it can be easily load balanced. I'll use LDAP on backend. On another note, I guess the only thing I haven't seen much about thus far is caching - so I'll have to do a bit more digging. Any links, advice, docs to share in this regard would be appreciated. Anyone using memcached in their setup for this? Anyway, hoping to automate a setup over the next couple of days so I can begin testing. I am curious about how much equipment some of the larger schools are utilizing for authentication - any anecdotes welcome. I appreciate the replies - they have been most helpful. Many thanks. Regards, David Scott Battaglia wrote: > David, > > if it helps, there are multiple commercial entities that deploy CAS into > production in the "wild" including Sony Online Entertainment and H.E.P. > (I'm sure there are others too). > > -Scott > > On Jan 18, 2008 4:24 PM, David Pratt <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Hi Matt. Thank you for your reply. This is encouraging. There is a > difference in what I am considering in that there is no starting point > within an intranet to the external services users wish to consume. My > use case is simply a user in the wild navigating to one of my apps on > the Internet and when they hit a page that requires authentication, > redirecting for sign in but if they wish to reach another Internet app > that I manage under another domain, they would already be sign in. > > I happen to share a similar view of openid since virtually anyone that > could set up a server could set themselves up as an identity provider > with very little in the way of identity vetting. Further, openid does > not mean unique id and a person may have any number of ids to serve > their needs (somewhat contrary to the need it is destined to solve). So > it is possible that people can have a work identity, personal identity, > and of course an evil identity, etc. > > It will be interesting to see what the new year brings. Yahoo and other > large sites are buying in. I can't see Yahoo doing anything deliberate > to undermine confidence on the Internet. I will be interested to see how > they handle their implementation - so will take a wait and see approach > while I develop capability to use openid. I happen to think it will come > down to white and black lists of identity providers in order to have > some trust over who is utilizing your resources. In fact there there is > software popping up to do just that which I will lookup domains much > like geo ip location databases: > > http://www.mediawiki.org/wiki/Extension:OpenID > <http://www.mediawiki.org/wiki/Extension:OpenID> > > It ultimately comes down to who you want to trust but even if this is > more domains that your own, you've saved someone else the hassle of > loggin in to your app. > > Regards, > David > > Smith, Matt wrote: > > The University of Connecticut is successfully using CAS with a > number of > > external vendor applications. So, in this regard, we are acting > as the > > "Identity Provider" to "Service Providers" all across the Internet. > > This has been a very positive experience, as the extranet > applications > > can appear to be part of our service environment. > > > > Acting as a Service Provider, allowing OpenID authentication is > > sufficient if you trust users to *each* be their own "Identity > Provider" > > -- but there are risks that need to be considered. My biggest > one -- > > how do you vet the identity of the user, and the security of their > > OpenID provider? > > > > Running CAS as a single Identity Provider has very little cost, > and the > > benefits are centralized, well-vetted identity, maintained by > > experienced system administrators. > > > > HTH, > > -Matt > > > > > > On Fri, 2008-01-18 at 13:11 -0400, David Pratt wrote: > >> Hi. I am generally familiar with the use of CAS authentication > for the > >> intranets. As such I had not properly considered it for a larger > >> Internet application. Can or should CAS be used in the wild for > internet > >> applications as single sign on? > >> > >> Overall, OpenID is emerging in this area as a potential generic > >> standard. Despite this, I would welcome any insight in using CAS > for a > >> larger scale web application for Internet authentication. All the > >> largest providers like Google, Yahoo, Microsoft all have their > own brand > >> of authentication - but the mechanisms are very CAS-like. > >> > >> If it can be used, anything things to watch out for, or anyone > already > >> doing this that can shed light on how it may be working. Any > links to > >> documents or blogs articles as reference would be appreciated. > No lack > >> of information on general mechanism of CAS on Google, just anything > >> specific about using it as Internet single sign on. Many thanks. > >> > >> Regards > >> David > >> _______________________________________________ > >> Yale CAS mailing list > >> [email protected] <mailto:[email protected]> > >> http://tp.its.yale.edu/mailman/listinfo/cas > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Yale CAS mailing list > >> [email protected] <mailto:[email protected]> > >> http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ > Yale CAS mailing list > [email protected] <mailto:[email protected]> > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > -- > -Scott Battaglia > > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > ------------------------------------------------------------------------ > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
