CAS as general single sign on solution for Internet app

Scott Battaglia scott.battaglia at gmail.com
Fri Jan 18 22:15:33 EST 2008 

David,

if it helps, there are multiple commercial entities that deploy CAS into
production in the "wild" including Sony Online Entertainment and H.E.P. (I'm
sure there are others too).

-Scott

On Jan 18, 2008 4:24 PM, David Pratt <fairwinds at eastlink.ca> wrote:

> Hi Matt. Thank you for your reply. This is encouraging. There is a
> difference in what I am considering in that there is no starting point
> within an intranet to the external services users wish to consume. My
> use case is simply a user in the wild navigating to one of my apps on
> the Internet and when they hit a page that requires authentication,
> redirecting for sign in but if they wish to reach another Internet app
> that I manage under another domain, they would already be sign in.
>
> I happen to share a similar view of openid since virtually anyone that
> could set up a server could set themselves up as an identity provider
> with very little in the way of identity vetting. Further, openid does
> not mean unique id and a person may have any number of ids to serve
> their needs (somewhat contrary to the need it is destined to solve). So
> it is possible that people can have a work identity, personal identity,
> and of course an evil identity, etc.
>
> It will be interesting to see what the new year brings. Yahoo and other
> large sites are buying in. I can't see Yahoo doing anything deliberate
> to undermine confidence on the Internet. I will be interested to see how
> they handle their implementation - so will take a wait and see approach
> while I develop capability to use openid. I happen to think it will come
> down to white and black lists of identity providers in order to have
> some trust over who is utilizing your resources. In fact there there is
> software popping up to do just that which I will lookup domains much
> like geo ip location databases:
>
> http://www.mediawiki.org/wiki/Extension:OpenID
>
> It ultimately comes down to who you want to trust but even if this is
> more domains that your own, you've saved someone else the hassle of
> loggin in to your app.
>
> Regards,
> David
>
> Smith, Matt wrote:
> > The University of Connecticut is successfully using CAS with a number of
> > external vendor applications.  So, in this regard, we are acting as the
> > "Identity Provider" to "Service Providers" all across the Internet.
> > This has been a very positive experience, as the extranet applications
> > can appear to be part of our service environment.
> >
> > Acting as a Service Provider, allowing OpenID authentication is
> > sufficient if you trust users to *each* be their own "Identity Provider"
> > -- but there are risks that need to be considered.  My biggest one --
> > how do you vet the identity of the user, and the security of their
> > OpenID provider?
> >
> > Running CAS as a single Identity Provider has very little cost, and the
> > benefits are centralized, well-vetted identity, maintained by
> > experienced system administrators.
> >
> > HTH,
> > -Matt
> >
> >
> > On Fri, 2008-01-18 at 13:11 -0400, David Pratt wrote:
> >> Hi. I am generally familiar with the use of CAS authentication for the
> >> intranets. As such I had not properly considered it for a larger
> >> Internet application. Can or should CAS be used in the wild for
> internet
> >> applications as single sign on?
> >>
> >> Overall, OpenID is emerging in this area as a potential generic
> >> standard. Despite this, I would welcome any insight in using CAS for a
> >> larger scale web application for Internet authentication. All the
> >> largest providers like Google, Yahoo, Microsoft all have their own
> brand
> >> of authentication - but the mechanisms are very CAS-like.
> >>
> >> If it can be used, anything things to watch out for, or anyone already
> >> doing this that can shed light on how it may be working. Any links to
> >> documents or blogs articles as reference would be appreciated. No lack
> >> of information on general mechanism of CAS on Google, just anything
> >> specific about using it as Internet single sign on. Many thanks.
> >>
> >> Regards
> >> David
> >> _______________________________________________
> >> Yale CAS mailing list
> >> cas at tp.its.yale.edu
> >> http://tp.its.yale.edu/mailman/listinfo/cas
> >>
> >>
> ------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> Yale CAS mailing list
> >> cas at tp.its.yale.edu
> >> http://tp.its.yale.edu/mailman/listinfo/cas
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>



-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080118/10d8f3d2/attachment.html

More information about the cas mailing list