[英]CAS and SAML2 SSO by example
We have about a dozen internal admin web apps (mostly Java) that employees use for various workflows, and each of them have their own, disparate sign-in/authentication systems. 我们有大约十二个内部管理Web应用程序(主要是Java)供员工用于各种工作流,并且每个应用程序都有各自不同的登录/身份验证系统。 I've been asked to federate them all together under a single sing-on system.
我被要求在一个单一的单一系统上将它们全部联合在一起。 I was handed the following diagram to use as a starting point:
我收到了下图,以此作为起点:
As you can see, each app uses a CAS client to connect to a CAS server. 如您所见,每个应用程序都使用CAS客户端连接到CAS服务器。 This server also has Apache httpd with a Shibboleth plugin (?) configured.
该服务器还具有配置了Shibboleth插件(?)的Apache httpd。 This CAS server then communicates with our Active Directory ("AD") server.
然后,该CAS服务器与我们的Active Directory(“ AD”)服务器进行通信。
I need to make sure I completely understand how these technologies all work together: 我需要确保我完全了解这些技术如何协同工作:
Here are a few of your answers: 以下是您的一些答案:
First, let me give you a quick overview of how the interaction between a CAS client and a CAS server normally works: (I am not familiar with the Shibboleth portion, so I am omitting that.) 首先,让我简要概述一下CAS客户端和CAS服务器之间的交互如何正常工作:(我不熟悉Shibboleth部分,因此省略了它。)
Now for your questions: 现在为您的问题:
If you are doing primarily CAS and you have the ability to do your own CAS clients in your applications, CAS can be a very nice solution. 如果您主要从事CAS并且可以在您的应用程序中拥有自己的CAS客户,那么CAS可能是一个很好的解决方案。 Unfortunately, CAS does not have full SAML2 support, using it's own protocol instead, though CAS's protocol is very similar to the ARTIFACT profile for SAML2.
不幸的是,尽管CAS的协议与SAML2的ARTIFACT配置文件非常相似,但CAS并没有使用它自己的协议来完全支持SAML2。 If you want to integrate with other SAML2 clients, some work needs to be done.
如果要与其他SAML2客户端集成,则需要完成一些工作。
Also, if your java applications happen to use Spring, Spring security includes a CAS client out of the box. 另外,如果您的Java应用程序恰好使用Spring,则Spring安全性包括开箱即用的CAS客户端。
It is also pretty easy to write a custom client as you can see that the protocol is not terribly complex. 编写自定义客户端也很容易,因为您可以看到协议并不十分复杂。
Also, while it is a bit more work and can be a pain to set up, if your employees already login to your domain via windows, then you can actually piggy back on that and configure CAS to use the windows login information users have already provided rather than prompting users with a login form making them re-enter their windows credentials. 另外,虽然工作量更大,并且设置起来可能很麻烦,但是如果您的员工已经通过Windows登录到您的域,那么您实际上可以承担此费用,并将CAS配置为使用用户已经提供的Windows登录信息而不是使用登录表单提示用户,使他们重新输入Windows凭据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.