[cas-dev] Where do we discuss the CAS-4 protocol?

Scott Battaglia scott.battaglia at gmail.com
Tue Sep 23 13:22:44 EDT 2008 

On Tue, Sep 23, 2008 at 11:25 AM, David Whitehurst
<dlwhitehurst at gmail.com>wrote:

> Hi:
>
> Some questions below:
>
> 1) Can CAS not logon across domains? E.g. would the following not
> work,
> http://domain1.com/cas/login?service=http://domain2.com/application1/


CAS works across domains and always has.

>
>
> <snip />



>
> 2) What's the possibility of dropping communication types and using
> SAML for everything? (with CAS-4 of course.)  CAS is the "hot-dog
> stand" so to speak, a service and outside of UI related texts,
> choosing the communication protocol is important.


We'd never drop the CAS protocol as its easy to use, widely adopted, and has
a large client base.  We'd also probably never exclusively use SAML as it
doesn't support many of the use cases detailed in the CAS, OAuth, and OpenID
protocols. The protocol document page list in the previous email details all
of the requirements a future version of CAS needs to support, and it
importantly discusses use cases and functionality and not what a specific
protocol supports.

>
> <snip />
>
> I've had discussions about redundancy with CAS servers and with JBoss
> application servers.  It goes on and on, where we need someone at the
> table with a checkbook and a purchase order pad to gather resources.
> It's too much.  There should be some way that the application finds
> "a" CAS server to handle the job.  A very smart JAR for applications
> could be developed that could try "a" CAS server and after a specified
> time, try another if a response was not heard.


We've managed to implement a redundant CAS service with two CAS servers
using CAS and repcache.  We've also managed to provide redundant LDAP
servers with similar hardware requirements.  The same goes for Safeword and
Kerberos.  In fact you'll find that any redundant service is going to
require you to spend some money to deploy multiple servers.  It will also
require infrastructure to be in place.  In addition, if you want high
availability CAS, the services that CAS depends on need to be high
availability. If you don't want to purchase resources to have a highly
available service, then its pretty much not possible to have a highly
available/redundant service.

You can't merely "try" a CAS server like you would a Kerberos or an LDAP
server because CAS relies on both the application contacting CAS as well as
the browser.  It would be like saying we don't need load balancing hardware,
web browsers should be smart enough to try multiple servers in a server farm
when I try and access Rutgers' web site.  Because you rely on both the
application and the browser, anything could happen between the check to see
if the CAS server and the notification to the browser to redirect.  In
addition, you've still got the issue of session information needing to be
shared between any redundant servers.

-Scott


>
> User authentication could someday in the future be propagated like
> DNS.  Trust could be extended at the same time users on the internet
> kept registering with the same username on various sites.
>
> I'll stop here until I have more specific questions :-)
>
>
> I want to keep questions in this thread as they relate to the CAS-4
> requirements page.  Anything of importance here could be added to
> Confluence if agreed upon.
>
> Thanks,
>
> David
>
> On 9/23/08, Scott Battaglia <scott.battaglia at gmail.com> wrote:
> > David,
> >
> > We're detailing requirements here:
> > http://www.ja-sig.org/wiki/display/CAS/Protocol
> >
> > Discussion is welcome to happen on that document (updating it, comments,
> > etc.) as well as on this list.  In addition, we're going to be having at
> > least one session on it at the UnConference.  I know you probably won't
> be
> > able to attend the UnConference but we can probably work out some form of
> > video-conferencing/tele-conferencing for those who are
> > interested.
> >
> > At a minimum we can do video chat via my MacBook Pro and point it at the
> > middle of the room ;-)
> >
> > -Scott
> >
> > -Scott Battaglia
> > PGP Public Key Id: 0x383733AA
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> >
> >
> >
> > On Tue, Sep 23, 2008 at 9:44 AM, David Whitehurst <
> dlwhitehurst at gmail.com>
> > wrote:
> > >
> > > Hi:
> > >
> > > Where do we discuss the CAS-4 protocol and it's requirements gathering?
> > >
> > >
> > > Thanks,
> > >
> > > David
> > > _______________________________________________
> > > cas-dev mailing list
> > > cas-dev at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> > >
> >
> >
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >
> >
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080923/80bf20b7/attachment.html

More information about the cas-dev mailing list