Hi Andy, Many thanks for your advice and sharing. I put more queries below, highlighted in yellow, i hope you have time to have a check. Thanks.
Andy Ng於 2019年4月19日星期五 UTC+8下午3時08分05秒寫道: > > Hi Paul, > > With one and a half year upgrading and maintaining our company CAS, I > think I will share some of my experience on your questions there: > > 1. Do CAS are flexible enough to extend to cater for future authentication > requirement? > - If your requirement is a standard requirement, you usually can see > that implemented in CAS 5 or above > - In my case, I have SAML2, CAS and OAuth2 together in both > mobile and web, and they can still all do SSO no problem > - If you have some really custom authentication / authorization > requirements (like us!), you can always use the custom authentication > handler to customize your own stuff > https://apereo.github.io/2017/02/02/cas51-authn-handlers/ > (i definitely require the custom authentication as my company have special requirement on audit and compliance. Sometimes, business users want to alter the authentication flow [e.g. add security warning). As internal IT, we need to fulfill their requests, which is unknown now. So, for such uncertainty, i definitely want a product that is easy to customize. And i found there are not much resource about CAS architecture/authentication flow and guideline for customization. Do you know where can i find such resources?) > - I can't say about the future, but I can give you some experience > about the past: > - The upgrade from CAS 4 to CAS 5 was very painful because CAS > change a lot of from 4 to 5, the change from 4 to 5 is much greater than > the one from 5 to 6. > - However, after upgrading from 4 to 5, everything is still > working completely fine (Our company starts with CAS 3), so the dev team in > CAS definitely make sure service are backward compatible. > (can you please briefly talk about the painful experience? Is it about rewriting all your custom code or data patching? This is one of the point i am concerned about. Also, do the upgrade involve downtime?) > > 2. For high availability, in my company, the CAS service need at least > deployed to 2 or more datacenters > - Our server is very stable with our own high availability setup, you > might see some opinion of other people on this thread too ( > https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/david$20high$20availability%7Csort:date/cas-user/tCk7jJz5pnE/7cXWmHd0BgAJ > ) > (If adopt CAS, i probably needs to deploy it to private or public cloud (as docker image) which is another headache, we need dynamic CAS instance discovery, caching, cross datacenter data sync...i am not able to find a step by step guideline to setup it. For high availability setup (and validation/verification), your experience is? easy or need trail and error?) > > 3. After adoption of CAS, all systems will make use of it/depends on it, i > am worry about the system update/patching as we cannot have a period to > shutdown all CAS instances for upgrade/patching > - We also cannot have downtime during maintenance, you (most of the > time) don't need to shutdown all CAS instances for upgrade most of the > time. > - However user might get logout after the upgrade if the ticketing > system (like Hazelcast) have upgraded > (this sounds very good, forcing user to logout is acceptable for system upgrade/patch, but downtime for a long period is nearly unacceptable for us. Do you ever encounter a case that need to shutdown all CAS instances?) > > 4. Where can i find known security issue/vulnerability of each CAS > version? i am just able to find this and the CAS security mailing list. > - Don't quote me on that, but security mailing list is also the only one > place I found CAS vulnerability. > - With CAS being using a lot of libraries, it might be very difficult to > keep track of all the vulnerability of all the libraries, in this regards I > myself would just trust the CAS team and upgrade my server as frequently as > possible > > 5. Unlike commercial product that we can't request to backport fix from a > newer version to an older version, but upgrade CAS seems not easy, how do > you cater for that? Do you have a good strategy? > - See this: > https://apereo.github.io/cas/developer/Maintenance-Policy.html > - If you use an old version of CAS (e.g. CAS 4), the dev team usually > will not fix them > - And... Since CAS is an open source project, if you found some bug that > need fixing and is not in the priority list of the CAS dev team, usually > they would ask you to help do the PR yourself > - Or, you can just fix your own stuff using this guide here if your > fix mostly only applies to your project: > https://apereo.github.io/cas/5.3.x/installation/Configuration-Management-Extensions.html > > <https://www.google.com/url?q=https%3A%2F%2Fapereo.github.io%2Fcas%2F5.3.x%2Finstallation%2FConfiguration-Management-Extensions.html&sa=D&sntz=1&usg=AFQjCNEV19zslXjXA8IhlhdAvrsycAaUCg> > > 6. for authorization (like, who can perform what function in which system) > with OpenID Connect JWT token, anybody tried to put the permissions in the > scope field and check for that for authorization? How to you enforce > authorization? Use of Oauth 2.0 UMA seems make the system more complicate? > - I have no idea... > (ic...that means individual CAS client application make use of their > own mechanism for authorization...?) > > By the way, my opinion is going to favour CAS, otherwise I am not going to > be here typing this sharing :) So, take this with a grain of salt > (actually, i am now evaluating CAS, WSO2 Identity server, Keycloak, Connect2id... can you please talk about why you choose CAS but not others?) > > Cheers! > - Andy > > > > > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/94484e33-c4b2-4a85-8016-02f2192ca0fd%40apereo.org.
