In a test environment, I've setup the following:
1 - Domain Controller Running AD
2 - Web2Py CAS Provider
3 - Web2Py CAS Consumer
- The provider (#2) is able to get groups from #1, and updates them automatically.
- The consumer (3) is using the provider (2) as a CAS provider. This works fine.
- The consumer (3) and the provider (2) are sharing an authdb, which I had hoped would give the consumer access to the groups of the provider.
The issue is that when a user logs into the consumer, the consumer adds a new user into auth_user, so every user has two auth_user records. The first record from the provider is assocaited with groups, while the second is not, as it is coming from the consumer, and has no idea what groups the provider knows about.
With all that said, I'm hoping there is still a solution. At a high level, I need to support the following:
- Authenticate via AD (already done)
- Get groups from AD (already done)
- Get groups to all consumers (possible if we skip the provider and just have the consumer connect to AD, but that breaks other functionality)
- Single sign on to web2py apps (works, but breaks groups as web2py cas doesn't transfer group membership)
The last two items are really the sticking point, I need single sign on
and groups. In reviewing the underlying code for
cas_auth.py, I see that it doesn't support passing member_of, which cas2.0 appears to support. Even if it did support group membership, applying those changes to auth, would be a fairly major change. Any thoughts on ways to get around these limits?