On Wed, Nov 27, 2019 at 1:27 PM xia <[email protected]> wrote: > Ok, I may have answered my own questions on this by finding the Jira site > (I > apologize for posting before looking more carefully...) and noting that > there are PRs that cover some/most of this. It appears that the only > handling of CAS attributes is to convert them to tokens, so no handling of > groups (wondering if I can somehow make connection decisions based on > tokens...something to play with). Still wonder if there's a way to pull > attributes from LDAP...(I'm guessing not yet) ¯\_(ツ)_/¯ > > Yep, you are correct - the CAS extension needs to implement attributes, and there is a PR out there that handles this. It should also be possible to implement group handling in the CAS module - basically just need to allow the config file to specify what CAS attribute will contain group names and parse them out, and then implement the bits that would provide that informatoin to other components. Very doable, just needs to be done.
> And...no logout (yet)...Is anyone actually using any of the SSO modules in > a > production environment? If so, I'd like to hear what they do... That does > seem to be a fairly significant security defect... > > I did use CAS for a while in production; however, I was doing it without ClearPass and I found it more useful to just authenticate straight to AD and have the user password available as a token to use when logging into RDP servers. I do intend to go back and re-work things with CAS + ClearPass + Guacamole so that I have the best of all three worlds, just have not gotten around to it, yet. -Nick
