RubyCas-Server with Central Application to manage Users and Access

[Rémy Binsztock]

Hi, I read a lot of different threads about RubyCas-Server but i can't find the best way to do it properly, let me explain :

We want to implement RubyCas-Server for a SSO with LDAP into our organization but we want also manage users and their access through all applications available. So first we think to modify RubyCas-Server and add Role and authorization Access into it. The second option is to use One centralised Application to manage all users and their access through this application. But we don't know how to handle it with RubyCas-Server properly.

We want to use this because people into our organization got different access and role through each Applications. So we need to customize it.

I have try Cancan, Rolify with Devise on Rails APP to manager Users Access and Roles.

Well my question is : can we build an Centralised App to manage all users and their access with an RubyCas-Server layout.

Or we are obligate to manage each user into each Application and remove the auto user create if an user connect via RubyCas-Server and this user does not exist into our App.

I try my best to explain the problems, hope it's understandable.

Thank a lot :)

[Adam Crownoble]

Hi Rémy,

We're doing something like that now at the university I work for. The way we handle it is that our access managing app gives the users roles and then stores those roles in LDAP. We then configure rubycas-server to pull those roles in from LDAP as extra attributes. Then, when a user logs into an app it grabs their roles in their extra attributes and uses them with declarative_authorization (in our case, but you could do CanCan too) and sets permissions accordingly.

Hope that helps you. Let me know if you have any other implementation questions.

- Adam

[Rémy Binsztock]

Hi Adam, 

and thank for your fast response but my organization does not want to manage Users Access and Roles through the AD Microsoft... so how i can handle their access without them ? 

I read this recently : http://itshouldbeuseful.wordpress.com/2011/02/02/rails-authlogic-and-single-sign-on/ but for me it's not really good, i need something more global to use. Like One Big App to manage all users and RubyCas-Server used like proxy, but is it possible to use RubyCas-Server just for layer connection ?

I had test rubycas-client, devise_cas_authenticatable.

And i still search for something good and nice to use :)

[Adam Crownoble]

Well it doesn't have to be AD, that's just what we've used. rubycas-server also has support for extra_attributes with a SQL authenticator or a generic LDAP authenticator. What authenticator are you using now? Even if it's not one of these, extra_attribute support could probably be added to it fairly easy. 

- Adam

[Rémy Binsztock]

Hi Adam,

They want to use AD to connect but not to manage Users Access and Rôles with it.

[Adam Crownoble]

Well you can always fork the project and add in your own code to go pull the extra_attributes out of your app, via an API or right out of the database or whatever, after a successful authentication with AD.

Also, although authentication and authorization are related they really can function independently. You could still use CAS for authentication and then, after you have the username, query your authorization app for that user's roles.

[Robert Mitwicki]

Hi Remy,

Rubycas is Central Authentication Service as you know and as I understand you looking for Central Authorization Service (not authentication). 

To store all roles and groups in one place and gives possibility others applications to reuse that.

I was looking for something like that few months ago but I couldn't find anything suitable for me.

I thinking about starting new module as part of rubycas project to provide this functionality (CAAS - Central Authentication and Authorization Service) but my time is very limited right now so probably it will not happen soon.

For now I solved my problem by using ActiveLdap (http://ruby-activeldap.rubyforge.org/) and OpenLdap.

In OpenLdap I have all users with roles and groups. ActiveLdap is used as interface for openldap, easy very easy to use and integrate with any existing application.

I also create one small application "admin panel" where I can add new users and change roles for them (there is many existing application for that you can quite easy google something)

This solution is not the best but I think one of the simplest. 

You can do that in few days.

I just can't understand why you do not want to use AD/Ldap as database for users and roles and groups?

If you will split those two database you will have additional problem with synchronization and probably much more.

You can of course use Multiple DITs in ldap and have those databases in one places I think activeldap should also handle that but this is additional work.

Anyway using ActiveLdap you can quite easily achieve that.

Best regards

[Rémy Binsztock]

Hi Mitfik,

Thank for your help and answer. Well now, i think to do One Big Centralized App to manage Users and their roles through the App, using RubyCas to auth people, but i want to know it's possible to use a login form into my Centralized App who query the RubyCas-Server to connect the user ? 

I want to use AD Windows because people know their password and we don't know them, we don't want reset their password and we don't want to use another one password. Manage people through the AD is nice but we need a big customize system per Applications used.

[Robert Mitwicki]

Thank for your help and answer. Well now, i think to do One Big Centralized App to manage Users and their roles through the App, using RubyCas to auth people, but i want to know it's possible to use a login form into my Centralized App who query the RubyCas-Server to connect the user ?

Yes, it is possible through API for example. Just check API branch: https://github.com/mitfik/rubycas-server/tree/api

It will be part of rubycas2.0.

Best regards

--
Robert Mitwicki
Senior Software Engineer
FXI Technologies

[Trương Hoàng Dũng]

In my case, firstly i mounted the RubyCAS as a modular application, then i can mount other app like account, admin, and each can connect to their own database, their own views,..., i think Sinatra is super flexible for you to customize and extend.