IAM & SSO

[Ramakrishna G]

Hi everyone,

A few questions for those of you who are using IAM plus SSO.

1. Does CAS support both authentication as well as authorization?
1. If Yes, Can you please elaborate with documentation.
2. If No, Any workaround can be done on CAS to support authorization? 
2. Which Database to use? I figured out LDAP supports authorizations but is there some other db suggestions.
3. I am also curious to know the industry standard product for IAM & SSO? If possible, please share the technical stack used for the same.

We'd like to know what other folks' are using for IAM & SSO, so that maybe we can make a better choice.

Thanks,

-Ram

[Richard Frovarp]

It depends on what you are after. You can do authentication checks for the whole service using the service access strategy:

https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Access-Strategy.html

You can also do attribute release in a lot of the authentication protocols that CAS uses. You release whatever attributes you feel like you need to, and then the application has them available for authorization. CAS could pull the list of groups an account is a member of through LDAP/AD and return that to the application. They application could then do authorization checks based on that information. You can also return something like a list of entitlements. Where and how you store those is up to you. Pulling it from the same system they authenticated against makes it easy to setup and get running. You could resolve all of the groups out of Grouper if you wanted.

In higher education there are a lot that are using Grouper for some of the problems. Internet2 is helping to move along the Grouper, Shibboleth, COManage, and midPoint combination. You can pretty easily swap CAS for Shibboleth, or run both. https://www.incommon.org/trusted-access/

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7edaca52-e82f-42ec-9b37-6cb5ce4346f9%40apereo.org.

[Roger Yerbanga]

You can also filter (sort of pseudo-authorization) directly in CAS based on users attributes (using service access strategy).

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b5f6728-3dcb-2bbb-9068-6a86843f7e3a%40ndsu.edu.

--

! roger
-- www.yerbynet.com --
Un ordinateur sans connexion Internet, c'est un peu comme une télévision sans antenne :)

[Andy Ng]

Hi Ram,

Although other already answer, still want to charm in with some of my opinion :)

> Does CAS support both authentication as well as authorization?

Yup, at least the more modern CAS version support authorization.

I don't know this is the standard way to do, but judging from the document, we do it this way:

1. Authenticate User 

  -let say, our user is casuser using LDAP

2. Attribute Resolution for the user 

  - let say, by using JDBC, we can identify that casuser actually contain an attribute role = admin

  - Note: Some implementation can skip this step, and directly get user attribute in step 1, which CAS is totally Ok with you doing that.

  - As you see in the principalAttributeList property, LDAP can allow you to get attribute in the same step of when you authenticate the user https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#ldap-authentication

3. Allow / Deny access based on Service Access Strategy

  - For example, here: https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Access-Strategy.html#enforce-attributes

  - You can see that, unless the user have role = admin attribute, they cannot access the service

  - Hence, can authorize user based on their attribute, I think this is called Attribute based access control, don't quote me on that :)

> Which Database to use? I figured out LDAP supports authorizations but is there some other db suggestions.

There are many technology supported, for example:
Above step 1: JDBC(e.g. Mysql, Postgresql), LDAP, several NoSQL (e.g. MongoDB, Redis...), REST, and much more

Above step 2: You can see the list here: https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#authentication-attributes, all in all, very many choice

You can use multiple technology together in either or all steps, e.g. 

- Authenticate user using both JDBC, and LDAP

- Resolve attribute based on REST and MongoDB

Of course that probably would be overkill, but you get my point, it is very flexible.

Above which to use, I think is very much preference, I think that's why there are so many options :)

We have use multiple authentication before, including LDAP and JDBC, which seems fast and reliable, no complain received after the deployment on PROD using these technology.

We have tried REST, it is very slightly slower than just using LDAP or JDBC, but every seconds count, so would recommend one of the native approach if possible.

> I am also curious to know the industry standard product for IAM & SSO? If possible, please share the technical stack used for the same.

I am as curious as you do, if somebody else have more insight that's would be great!

Cheers!

- Andy

[Ramakrishna G]

Thanks to everyone who responded to this thread.

Regards

-Ram

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b263647-b213-4831-b6df-86f767b9b549%40apereo.org.