It's not necessarily easily done. Not sure what CAS can do, but this means that all of your applications have to be setup to use CAS AND use local accounts. Maybe they already are, but they are also going to have to have a custom CAS integration to pull this off likely. Then you have the problem of what happens if those credentials get compromised. Each of those applications are going to have a cached copied of the credentials that an attacker could use. So each of those applications would need a method to flush those credentials under some sort of circumstance. Likely this is already done, but each of those applications would need a method of removing accounts once the person is no longer with you and shouldn't have access. Then you'd also need some sort of fail over method so that people that are used to going through CAS fail over to the normal method? Finally, you can very easily put MFA into the workflow of CAS, but if each application is going to do its own authentication, they would need to do their own MFA integration as well.
So there is a good deal of work that needs to go into each of the applications to maintain usability and security. Part of the beauty of CAS is that all of the above is just done. On 8/20/19 3:51 PM, Yan Zhou wrote: Hello, Our organization wants to make sure customers can still use their apps, in the event that CAS is down or unavailable (even though we have HA, etc.). The idea is to have CAS return password in encrypted format to some apps. that is critical. When CAS is down, the app. can authenticate using encrypted password themselves. SSO does not need to work during that time. That smells bad, but, I know technically this can be easily done and that is what we have been asked to do. What do you suggest? Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ebccddb0-b9da-454d-a28f-6693e5a0cc19%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ebccddb0-b9da-454d-a28f-6693e5a0cc19%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d325cb4-a61f-5ccb-deb7-5914adae037f%40ndsu.edu.
