[Building Sakai] [stuart.freeman at et.gatech.edu: [oae-dev] CAS Authentication for Hybrid deployments]
Steve Swinsburg
steve.swinsburg at gmail.com
Thu Oct 13 14:20:20 PDT 2011
Hi Stuart,
You might also want to run this past the CAS mailing lists: http://www.jasig.org/cas/mailing-lists
cheers,
Steve
On 14/10/2011, at 6:43 AM, D. Stuart Freeman wrote:
> This hasn't been getting any response on oae-dev, maybe there are more
> CAS experts on sakai-dev...
>
> ----- Forwarded message from "D. Stuart Freeman" <stuart.freeman at et.gatech.edu> -----
>
> Date: Tue, 11 Oct 2011 10:36:22 -0400
> From: "D. Stuart Freeman" <stuart.freeman at et.gatech.edu>
> To: oae-dev at collab.sakaiproject.org
> Subject: [oae-dev] CAS Authentication for Hybrid deployments
>
> I've been trying to deploy Hybrid with OAE on a separate node from CLE
> where we'd preserve the ability to log into our CLE instance but allow
> early adopters to log into the OAE instance and have access to their CLE
> sites through the hybrid integration. I apologize in advance for the
> length of this message.
>
> We do SSO with CAS and it appears that for hybrid to work the CAS service
> URL on our CLE instance has to be updated to be the hybrid frontend, but
> that breaks the ability to log into CLE directly. I've come up with a few
> potential solutions, and I'd like to get some community feedback.
>
> First, I have what I'm calling "split config", where I'd remove some CLE
> servers from our load balancer and configure only those servers to be the
> CLE side of my hybrid instance. That way anyone going to the CLE URL gets
> load balanced to the servers with the unmodified config, and anyone going
> to hybrid gets directed to the servers that have the updated config. I
> like the simplicity of the implementation of this, but I don't like that
> it would diminish the capacity of our CLE instance nor needing to keep
> track of which CLE servers should be configured which way.
>
> The second solution that comes to mind is having our CLE server use a new
> auth filter that first tries the hybrid nakamuraAuthFilter and if that
> fails falls back to the CAS auth filter. I'm not sure how much latency
> this would introduce to the auth process though, particularly if the OAE
> side of our hybrid was down for some reason.
>
> The third solution, which I suspect is the technically correct one would
> be CAS Proxy Tickets. I'm not particularly familiar with them, but if I
> understand correctly this would allow OAE/hybrid to request a CAS ticket
> for CLE and pass that ticket along when it's proxying the CLE content
> into the hybrid view. I am not sure of the extent of modification on the
> OAE side required to make this work.
>
> Can someone with knowledge of CAS Proxy Tickets confirm that this
> would work, and explain what we'd have to do to the hybrid code to
> implement it?
>
> Thanks,
> --
> D. Stuart Freeman
> Georgia Institute of Technology
>
>
>
> _______________________________________________
> oae-dev mailing list
> oae-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/oae-dev
>
>
> ----- End forwarded message -----
>
> --
> D. Stuart Freeman
> Georgia Institute of Technology
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
More information about the sakai-dev
mailing list