I would like to offer a word of caution in authenticating against multiple directories. It is vitally important to ensure that the value of the CAS principal ID is globally unique across all authentication sources, otherwise you are liable to authorization problems similar to impersonation attacks. This arises because CAS clients typically only have the principal ID (username) to identify the user; if the same username exists in multiple authentication sources, there is ambiguity about the human principal corresponding to that identifier. If you cannot guarantee uniqueness in your principal ID namespace, you would need to have CAS clients requesting SAML to obtain additional attributes that uniquely identify the user.
While the format of mail and sAMAccountName are sufficiently different to guarantee uniqueness from one another, there are no restrictions on the mail attribute that would prevent duplication unless you have some provisioning process that prevents it. Contrast that to sAMAccountName which is constrained by AD to be unique within a domain. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
