Hi Folks, I've been following the syncope user list for some time with great interest. I'm a CAS committer and also involved in a project called CIFER (Community Identity Framework for Education and Research). I'll offer some comments below...
On Wed, Jan 23, 2013 at 4:20 AM, Francesco Chicchiriccò <[email protected]> wrote: > On 23/01/2013 09:13, Guido Irrelevant wrote: >> >> The use case is that I have a number of Web applications (other than the >> Syncope console). Syncope should manage the users that can log in to the Web >> applications and CAS should offer SSO based on the user data in Syncope. >> I.e., the user wants to login to Web Application X which is protected by CAS >> filters. She is redirected to CAS which asks for the credentials if >> necessary. The credentials are validated by CAS against the user data in >> Syncope. After successful login, possibly authorizations could be set in the >> Web applications using the data in Syncope (this could be done using >> attributes sent by CAS with the ticket, or outside of CAS by calling Syncope >> from the Web application). >> >> Is this a valid use case anyway? Are there best practices / existing code >> for this? This looks like a classic use of CAS. CAS is focused on providing robust WebSSO by leveraging whatever user/credential store you already have. The idea is to do one thing well and be easy to integrate with other IAM components. > Hi Guido, > by my experience in the IAM world, and especially in the Identity Manager > (like as Syncope) - Access Manager (like as CAS) integration, I have found > that this concept might involve different use cases, at different level. > > Disclaimer: I am more familiar with OpenSSO / OpenAM than with CAS. > > > 1) Let Syncope manage Access Manager's user repository via exposed APIs (if > available) > 2) Let Syncope manage Access Manager's user repository via underlying store These two option don't apply to CAS since there is no "CAS user repository" to speak of. > 3) Use Syncope as authentication resource for the Access Manager > > In this case the Access Manager will authenticate users by considering > Syncope an user repository: comparing to cases above, no propagation of data > from Syncope to external is required. > > For CAS, I guess that this would imply writing a Syncope authentication > handler, similar to JDBC [4] or LDAP [5] but empowering Syncope REST > interface. Yes, this how CAS is typically integrated with existing user/credential stores. Authenticating credentials against JDBCand LDAP is supported out of the box. Adding a REST based authentication handler would be easy. See: https://wiki.jasig.org/display/CASUM/Authentication > > 4) Enable SSO for Syncope admin console This should be possible. Happy to answer any other questions you might have. Best, Bill
