[Building Sakai] [stuart.freeman at et.gatech.edu: [oae-dev] CAS Authentication for Hybrid deployments]

Steve Swinsburg steve.swinsburg at gmail.com
Thu Oct 13 14:20:20 PDT 2011 

Hi Stuart,

You might also want to run this past the CAS mailing lists: http://www.jasig.org/cas/mailing-lists

cheers,
Steve

On 14/10/2011, at 6:43 AM, D. Stuart Freeman wrote:

> This hasn't been getting any response on oae-dev, maybe there are more
> CAS experts on sakai-dev...
> 
> ----- Forwarded message from "D. Stuart Freeman" <stuart.freeman at et.gatech.edu> -----
> 
> Date: Tue, 11 Oct 2011 10:36:22 -0400
> From: "D. Stuart Freeman" <stuart.freeman at et.gatech.edu>
> To: oae-dev at collab.sakaiproject.org
> Subject: [oae-dev] CAS Authentication for Hybrid deployments
> 
> I've been trying to deploy Hybrid with OAE on a separate node from CLE
> where we'd preserve the ability to log into our CLE instance but allow
> early adopters to log into the OAE instance and have access to their CLE
> sites through the hybrid integration. I apologize in advance for the
> length of this message.
> 
> We do SSO with CAS and it appears that for hybrid to work the CAS service
> URL on our CLE instance has to be updated to be the hybrid frontend, but
> that breaks the ability to log into CLE directly. I've come up with a few
> potential solutions, and I'd like to get some community feedback.
> 
> First, I have what I'm calling "split config", where I'd remove some CLE
> servers from our load balancer and configure only those servers to be the
> CLE side of my hybrid instance. That way anyone going to the CLE URL gets
> load balanced to the servers with the unmodified config, and anyone going
> to hybrid gets directed to the servers that have the updated config. I
> like the simplicity of the implementation of this, but I don't like that
> it would diminish the capacity of our CLE instance nor needing to keep
> track of which CLE servers should be configured which way.
> 
> The second solution that comes to mind is having our CLE server use a new
> auth filter that first tries the hybrid nakamuraAuthFilter and if that
> fails falls back to the CAS auth filter. I'm not sure how much latency
> this would introduce to the auth process though, particularly if the OAE
> side of our hybrid was down for some reason.
> 
> The third solution, which I suspect is the technically correct one would
> be CAS Proxy Tickets. I'm not particularly familiar with them, but if I
> understand correctly this would allow OAE/hybrid to request a CAS ticket
> for CLE and pass that ticket along when it's proxying the CLE content
> into the hybrid view. I am not sure of the extent of modification on the
> OAE side required to make this work.
> 
> Can someone with knowledge of CAS Proxy Tickets confirm that this
> would work, and explain what we'd have to do to the hybrid code to
> implement it?
> 
> Thanks,
> -- 
> D. Stuart Freeman
> Georgia Institute of Technology
> 
> 
> 
> _______________________________________________
> oae-dev mailing list
> oae-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/oae-dev
> 
> 
> ----- End forwarded message -----
> 
> -- 
> D. Stuart Freeman
> Georgia Institute of Technology
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> 
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

More information about the sakai-dev mailing list