The CAS Experience and Cornell University

Smith, Matt matt.smith at uconn.edu
Tue May 8 13:29:56 EDT 2007 

From the University of Connecticut
> ---begin brief-ish list---
> 
> 1.) What were the key factors in your decision to use CAS?

Ability to support custom authenticators, easy Java coding.

> 
> 2.) How many services are using CAS?
> 

A few dozen, constantly growing.

> 3.) Are you aware of anyone planning to deploy CAS who has changed 
> course or has decided to replaced it?

Only those who have an investment in Microsoft technologies, and have
steered toward ADFS.

> 
> 4.) What authentication db are you using?

Tiered authentication against MIT Kerberos, OpenLDAP, and Active
Directory

> 
> 5.) How many active users does it contain?

~70,000

> 
> 6.) Were any modifications to CAS required for use in your environment?

We wrote a custom JAAS handler to support our tiered authentication.

> 
> 7.) What was your deployment experience like?
> -Approx. time for deployment of central infrastructure?

Quick and easy - install Linux, install Apache/Tomcat, deploy cas.war,
and the prototype was done.  Spent a week or so customizing the pages
and writing the JAAS handler for full production deployment.

> -Approx. time per service for deployment?
Quick.  Easy Java servlet filter.
> -Approx. FTEs for deployment of central infra
> structure?
1.5
> -Approx. FTEs per service?
less than .5
> 
> 8.) What has been your experience with ongoing support and maintenance?
> -Approx. FTEs for maintenance of central infrastructure?

Set it and forget it -- almost no maintenance, other than standard Linux
distro patches.

> -Approx. FTEs for maintenance per service?

Varied.

> 
> 9.) What mechanisms do you use for authorization on your campus?

ACLs at each application (we do authorization poorly).

> 
> 10.) What are you doing to control access to static web content on your 
> campus?

ACLs in the form of .htaccess.

> 
> 11.) Were any technologies or systems particularly hard or easy to 
> integrate
> with CAS?

We wrote a custom PeopleSoft SSO - CAS component.  That took a while.
Also, mod_cas for Apache could use a little TLC.

> 
> 12.) Have you been able to adapt CAS use for any vendor applications 
> and, if so, how many (and/or which)?

Peoplesoft.

> 
> 13.) In your environment, is CAS used for application-to-application 
> authentication and in particular for multi-tier applications/systems?

Nope.

> 
> 14.) Have you integrated CAS with Apache servers that serve content 
> other than JSP apps?

Yes, with a modified mod_cas.

> 
> 15.) POST data support: How have you dealt with web applications that 
> need to authenticate via CAS on http POST transactions?

We try to avoid that.  SSO with expirations, in general, doesn't mix
well with POST'd data.

> 
> 16.) What sort of average and peak load does your authentication service
> experience?

Avg, a few hits/per second.  Peak, less than 100/sec.
CAS/Tomcat/Apache/Linux doesn't even blink. (Make sure you have enough
memory, though, for the JVM.)

> 
> 17.) What has been your experience with the performance of CAS?
Excellent.

> 
> 18.) How many servers are you currently using to run CAS at your 
> institution?

One 

> 
> 19.) What server hardware are you using?

Virtual Linux image on a z890 mainframe.

> 
> 20.) Does your central authentication system protect:
> -Financial data?
> -Student records?
> -data protected by HIPPA?
> -data protected by FERPA?

Yes * 4.

> 
> 21.) We’re also interested in your experience with the CAS community. 
> More specifically, has the CAS community met your expectations in the
> following areas?
> -support
> -feature requests
> -contributions
> 

Very high ratings, parallel with the OpenLDAP and MIT Kerberos
communities.
HTH,
-Matt

> ---end list---
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
-- 
Matthew J. Smith <matt.smith at uconn.edu>
University of Connecticut UITS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20070508/a67a9a55/attachment.bin

More information about the cas mailing list