Hi everyone, I'm the lead developer on the JASIG Central Authentication Service, one of the SSO servers that a number of higher education institutions use. Traditionally, CAS has used its own de-facto standard protocol (CAS1 and CAS2) which are similar in concept to much of OpenId 1.1. We have a couple of additional things built in (and you guys have some stuff we don't as optional specifications).
As part of the evolution of the CAS SSO server, we've been including support for additional protocols beyond CAS. To date, we can support CAS1, CAS2, SAML 1.1, part of SAML2 and are an OpenID 1.1 provider (the "dumb" model). We're looking to expand CAS into the realm of federation. We've been looking at SAML2 which while extremely powerful can also be very complex and goes against the concepts we've introduced in CAS1 and CAS2 (i.e. simplicity of protocol). OpenId gives us a much warmer, fuzzy feeling :-), so we're doing some initial analysis of utilizing OpenId 2 as our method for federation (in the nice boxes we've drawn on our white board it seems to work well). I just have a few questions for a comparison of the OpenId protocol vs. the CAS protocol that we're obvious to me. The main question is: 1. Do you guys support accessing a service on behalf of a user. In CAS we call this proxying on behalf of the user. But essentially, if you're say, a portal, and you need to access the grades, you would retrieve a CAS proxy ticket and give it to the grades service which would resolve that to the user as well as the chain of where it came from. Some of the other stuff is more related to local SSO needs than the actual protocol, but I'll ask anyway: 1. Do you support a method of determining whether someone has authenticated already (in CAS we call it gateway)? For us it relies on the fact that you always point to one CAS server, which obviously doesn't need to be true in the case of OpenId. However, in the scenario where you know there is only one authenticating server, is this possible? 2. Similar to above, we support a concept of "opting-out" and forcing re-authentication. So an application that contains SSNs may basically tell the authentication server, I don't care if they've authenticated already, do it again. The last question: We don't actually do this in CAS yet, but we've seen it and a few people have asked for it. Is there a way to pass information along to say something like I need them to authenticate via username/password, or cert, or LOA2 or higher? Thanks for any answers you guys can provide. We'll be continuing to do research into how OpenId2 fits into the CAS world, but I wanted to see if I could get some of these basic protocol comparison questions out of the way. Thanks -Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs