My understanding is that CAS is an authentication technology, with authorization being solely the responsibility of the client service.
I believe it makes sense for CAS to provide for authorization where it is a requirement that a service absolutely not be accessible to a given user. I came up with the following flow: 1. User hits service protected by SSO 2. Service redirects to CAS 3. User enters creds into CAS 4. CAS authenticates user 5. If authentication FAILS -> "your credentials are not authentic" STOP 6. NEW!! CAS authorizes user for service (CAS level authorization) 7. NEW!! If authorization FAILS -> "sorry you are not authorized to use that service" STOP 8. CAS redirects back to service with service ticket 9. Service validates service ticket 10. Service authorizes User (service level authorization, as it is done today) 11. User accesses service Has anyone implemented anything like the above in CAS, or do people think that this sort of functionality would be desirable? The advantage is that the service never hears from an "authenticated" user, and authorization is managed by the CAS implementor for that particular service. Dale -- View this message in context: http://www.nabble.com/CAS-authorization-tp18883610p18883610.html Sent from the CAS Users mailing list archive at Nabble.com. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
