Folks, Unicon is starting some work in collaboration with Fordham University to implement RBAC for CAS Services. The gist of the proposal is ST/PT will only be vended for Services where the user has authorization. Generally this provides centralized gatekeeper like access control to resources, and directs unauthorized users to appropriate information (like how to get access if they feel they should have it).
Unicon implemented something similar for University of Wisconsin in the Shib IdP. https://github.com/dima767/Shibboleth-IDP-Postlogin-Flow https://github.com/dima767/Shibboleth-IDP-Postlogin-Filter We are currently thinking about how best to: * extend Services Metadata with authZ info * implement authZ check and enforcement around ST vending * extend Services metadata with unauthZ URL for redirect Would welcome comments, thoughts, and general collaboration. Best, Bill ps. also thinking about tying this to Grouper to managed the entitlements (permissions). -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
