[Building Sakai] [stuart.freeman at et.gatech.edu: [oae-dev] CAS Authentication for Hybrid deployments]

D. Stuart Freeman stuart.freeman at et.gatech.edu
Mon Oct 17 08:37:42 PDT 2011 

Thanks Steve,

I've followed up with them, if anyone else wants to follow the
conversation over there it's at:

https://lists.wisc.edu/read/messages?id=15384113

On Fri, Oct 14, 2011 at 08:20:20AM +1100, Steve Swinsburg wrote:
> Hi Stuart,
> 
> You might also want to run this past the CAS mailing lists: http://www.jasig.org/cas/mailing-lists
> 
> cheers,
> Steve
> 
> On 14/10/2011, at 6:43 AM, D. Stuart Freeman wrote:
> 
> > This hasn't been getting any response on oae-dev, maybe there are more
> > CAS experts on sakai-dev...
> > 
> > ----- Forwarded message from "D. Stuart Freeman" <stuart.freeman at et.gatech.edu> -----
> > 
> > Date: Tue, 11 Oct 2011 10:36:22 -0400
> > From: "D. Stuart Freeman" <stuart.freeman at et.gatech.edu>
> > To: oae-dev at collab.sakaiproject.org
> > Subject: [oae-dev] CAS Authentication for Hybrid deployments
> > 
> > I've been trying to deploy Hybrid with OAE on a separate node from CLE
> > where we'd preserve the ability to log into our CLE instance but allow
> > early adopters to log into the OAE instance and have access to their CLE
> > sites through the hybrid integration. I apologize in advance for the
> > length of this message.
> > 
> > We do SSO with CAS and it appears that for hybrid to work the CAS service
> > URL on our CLE instance has to be updated to be the hybrid frontend, but
> > that breaks the ability to log into CLE directly. I've come up with a few
> > potential solutions, and I'd like to get some community feedback.
> > 
> > First, I have what I'm calling "split config", where I'd remove some CLE
> > servers from our load balancer and configure only those servers to be the
> > CLE side of my hybrid instance. That way anyone going to the CLE URL gets
> > load balanced to the servers with the unmodified config, and anyone going
> > to hybrid gets directed to the servers that have the updated config. I
> > like the simplicity of the implementation of this, but I don't like that
> > it would diminish the capacity of our CLE instance nor needing to keep
> > track of which CLE servers should be configured which way.
> > 
> > The second solution that comes to mind is having our CLE server use a new
> > auth filter that first tries the hybrid nakamuraAuthFilter and if that
> > fails falls back to the CAS auth filter. I'm not sure how much latency
> > this would introduce to the auth process though, particularly if the OAE
> > side of our hybrid was down for some reason.
> > 
> > The third solution, which I suspect is the technically correct one would
> > be CAS Proxy Tickets. I'm not particularly familiar with them, but if I
> > understand correctly this would allow OAE/hybrid to request a CAS ticket
> > for CLE and pass that ticket along when it's proxying the CLE content
> > into the hybrid view. I am not sure of the extent of modification on the
> > OAE side required to make this work.
> > 
> > Can someone with knowledge of CAS Proxy Tickets confirm that this
> > would work, and explain what we'd have to do to the hybrid code to
> > implement it?
> > 
> > Thanks,
> > -- 
> > D. Stuart Freeman
> > Georgia Institute of Technology
> > 
> > 
> > 
> > _______________________________________________
> > oae-dev mailing list
> > oae-dev at collab.sakaiproject.org
> > http://collab.sakaiproject.org/mailman/listinfo/oae-dev
> > 
> > 
> > ----- End forwarded message -----
> > 
> > -- 
> > D. Stuart Freeman
> > Georgia Institute of Technology
> > _______________________________________________
> > sakai-dev mailing list
> > sakai-dev at collab.sakaiproject.org
> > http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> > 
> > TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
> 

-- 
D. Stuart Freeman
Georgia Institute of Technology
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20111017/6a318c82/attachment.bin

More information about the sakai-dev mailing list