[Building Sakai] [stuart.freeman at et.gatech.edu: [oae-dev] CAS Authentication for Hybrid deployments]
D. Stuart Freeman
stuart.freeman at et.gatech.edu
Thu Oct 13 12:43:44 PDT 2011
This hasn't been getting any response on oae-dev, maybe there are more
CAS experts on sakai-dev...
----- Forwarded message from "D. Stuart Freeman" <stuart.freeman at et.gatech.edu> -----
Date: Tue, 11 Oct 2011 10:36:22 -0400
From: "D. Stuart Freeman" <stuart.freeman at et.gatech.edu>
To: oae-dev at collab.sakaiproject.org
Subject: [oae-dev] CAS Authentication for Hybrid deployments
I've been trying to deploy Hybrid with OAE on a separate node from CLE
where we'd preserve the ability to log into our CLE instance but allow
early adopters to log into the OAE instance and have access to their CLE
sites through the hybrid integration. I apologize in advance for the
length of this message.
We do SSO with CAS and it appears that for hybrid to work the CAS service
URL on our CLE instance has to be updated to be the hybrid frontend, but
that breaks the ability to log into CLE directly. I've come up with a few
potential solutions, and I'd like to get some community feedback.
First, I have what I'm calling "split config", where I'd remove some CLE
servers from our load balancer and configure only those servers to be the
CLE side of my hybrid instance. That way anyone going to the CLE URL gets
load balanced to the servers with the unmodified config, and anyone going
to hybrid gets directed to the servers that have the updated config. I
like the simplicity of the implementation of this, but I don't like that
it would diminish the capacity of our CLE instance nor needing to keep
track of which CLE servers should be configured which way.
The second solution that comes to mind is having our CLE server use a new
auth filter that first tries the hybrid nakamuraAuthFilter and if that
fails falls back to the CAS auth filter. I'm not sure how much latency
this would introduce to the auth process though, particularly if the OAE
side of our hybrid was down for some reason.
The third solution, which I suspect is the technically correct one would
be CAS Proxy Tickets. I'm not particularly familiar with them, but if I
understand correctly this would allow OAE/hybrid to request a CAS ticket
for CLE and pass that ticket along when it's proxying the CLE content
into the hybrid view. I am not sure of the extent of modification on the
OAE side required to make this work.
Can someone with knowledge of CAS Proxy Tickets confirm that this
would work, and explain what we'd have to do to the hybrid code to
implement it?
Thanks,
--
D. Stuart Freeman
Georgia Institute of Technology
_______________________________________________
oae-dev mailing list
oae-dev at collab.sakaiproject.org
http://collab.sakaiproject.org/mailman/listinfo/oae-dev
----- End forwarded message -----
--
D. Stuart Freeman
Georgia Institute of Technology
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20111013/1a2e2409/attachment.bin
More information about the sakai-dev
mailing list