CAS, Yale, Authorization and the Logout...

Jakob Külzer jakob.kuelzer at optimabit.com
Thu Dec 13 09:12:17 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello list,
we are currently working on an article about JA-SIG CAS for the  
german JavaMagazine and i got most of the article up and standing,  
but there are some questions left open so far.  I hope this is the  
correct list to ask such questions -- if not, please excuse me for  
being so bold and be so kind and forward it to the correct list.   
Thank you!

But back to topic, my first question is about the history and status  
of the CAS project.  I'm quite confused about CAS version 2 (and as  
we focus on version 2 in the article, i'm keen on getting this  
right).  If i read the web site and parts of the mailing list  
correctly, the yale distribution of CAS and the JA-SIG distribution  
are roughly the same. Is this correct?  If not, what is the difference?

CAS is an authentication service and therefore does not offer any  
authorization functionality; so the philosophy for performing  
authorization is to create a custom component that does authorization  
based on the username provided by the CAS authentication?

What about Cross Domain SSO? This should not be a problem as no  
cookies are involved but all ST's and PT's are transmitted via GET- 
requests. Do you know of cases where a CAS based CDSSO has  
successfully been introduced?

My next question is about the logout functionality.  CAS version 2  
supports logout, but can only enforce deletion of the TGC and  
destruction of the session of the application requesting the logout  
while all other authenticated session remain intact.  So may i  
conclude there is no "global logout" for CAS 2 (at least vanilla CAS)?

My final question: Is it correct that basically every service may  
participate in a CAS based SSO network without any ... well ...  
registration? I found a page in the deeps of the wiki concerning this  
(http://www.ja-sig.org/wiki/display/CAS2/Registered+services%2C+Global 
+logoff%2C+Service-specific+includes) but it's not part of vanilla  
CAS 2?

Please correct me if i got anything wrong, i'd hate to write some  
wrong facts about your great project. :)

Thank you very much in advance for all answers.

Regards,
- ---------  BEGIN SIGNATURE ----------
Jakob Külzer
OPTIMAbit GmbH,  Amtsgericht Muenchen HRB 154057, Geschaeftsfuehrer  
Dr. Bruce Sams
Weidenweg 2   85375 Neufahrn   GERMANY
mail: jakob.kuelzer at optimabit.com
tel: +49 (0) 8165 65095
web: www.optimabit.com



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFHYT3DLFnyZ4/kHZ4RAmWnAJ98qX2v7e2WwITLA/VbVDKhQ1/M4ACfcfiD
ugm1R3f+5jMhFmVDtxQQuhU=
=FKSl
-----END PGP SIGNATURE-----

More information about the cas mailing list