Hi all,
i am doing a research on adoption of CAS.
Background - my company is a healthcare company (managed many hospitals
and offer 24x7x365 business) that run hundreds of in-house developed
systems, as well as acquire some 3rd party products.
Currently, for the in-house developed systems, they have their own
authentication/authorization mechanism, mostly:
1. user credentials & attributes stored in DB
2. active directory for authentication and DB for user attributes
There are dedicate support for maintenance and support of each system
and, when downtime is required, support will liaise with users to arrange
for downtime. There won't be a period that all systems can down for
maintenance.
To reduce repeated effort spent on authentication and authorization of
each systems, i am checking whether we can adopt CAS to help, especially on:
1. OpenID Connect 1.0 + JWT (to achieve single sign on in the future)
2. OAuth 2.0 (password grant) + JWT (seems be a good path for migration
and finally to OpenID Connect)
3. SAML2/Kerberos [mainly for backward compatibility])
My concern on CAS adoption are:
1. Do CAS are flexible enough to extend to cater for future
authentication requirement? we will definitely requested to support more
and more authentication mechanism (e.g. FIDO2, RSA hardware token [with
custom username/password paddings], trust device registration...etc).
I found there is not much document telling developer to extend the
CAS login flow, custom authenticator
<https://apereo.github.io/cas/6.0.x/installation/Configuring-Custom-Authentication.html>
/
MFA <https://apereo.github.io/cas/6.0.x/mfa/Custom-MFA-Authentication.html>).
Is there a starter guide for CAS development (e.g. the detail system flow /
architecture diagram)?
2. For high availability, in my company, the CAS service need at least
deployed to 2 or more datacenters, can you share your experience of CAS
high availability (in terms of maintenance and setup, stability,
performance...)
3. After adoption of CAS, all systems will make use of it/depends on it,
i am worry about the system update/patching as we cannot have a period to
shutdown all CAS instances for upgrade/patching (which will impact ALL
systems...vs currently, individual systems down for maintenance will
smaller impact to hospital operations).
Can you share you experience of system upgrade/patching? Do you have
experience to update CAS (say from 5.x to 6.x) without downtime?
4. Where can i find unknow security issue/vulnerability of each CAS
version? i am just able to find this
<https://www.cvedetails.com/product/31065/Apereo-Central-Authentication-Service.html?vendor_id=15236>
and
the CAS security mailing list
<https://groups.google.com/a/apereo.org/forum/#!forum/cas-appsec-public>.
5. Unlike commercial product that we can't request to backport fix from
a newer version to an older version, but upgrade CAS seems not easy, how do
you cater for that? Do you have a good strategy?
6. for authorization (like, who can perform what function in which
system) with OpenID Connect JWT token, anybody tried to put the permissions
in the scope field and check for that for authorization? How to you enforce
authorization? Use of Oauth 2.0 UMA seems make the system more complicate?
Thank you.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/481ce30f-20fc-4534-832c-3d56196e5978%40apereo.org.
