Hi Ram, Although other already answer, still want to charm in with some of my opinion :)
> Does CAS support both authentication as well as authorization? Yup, at least the more modern CAS version support authorization. I don't know this is the standard way to do, but judging from the document, we do it this way: 1. Authenticate User -let say, our user is *casuser *using LDAP 2. Attribute Resolution for the user - let say, by using JDBC, we can identify that casuser actually contain an attribute role = admin - Note: Some implementation can skip this step, and directly get user attribute in step 1, which CAS is totally Ok with you doing that. - As you see in the *principalAttributeList *property, LDAP can allow you to get attribute in the same step of when you authenticate the user https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#ldap-authentication 3. Allow / Deny access based on Service Access Strategy - For example, here: https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Access-Strategy.html#enforce-attributes - You can see that, unless the user have role = admin attribute, they cannot access the service - Hence, can authorize user based on their attribute, I think this is called Attribute based access control, don't quote me on that :) > Which Database to use? I figured out LDAP supports authorizations but is there some other db suggestions. There are many technology supported, for example: Above step 1: JDBC(e.g. Mysql, Postgresql), LDAP, several NoSQL (e.g. MongoDB, Redis...), REST, and much more Above step 2: You can see the list here: https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#authentication-attributes, all in all, very many choice *You can use multiple technology together in either or all steps, e.g. * - Authenticate user using both JDBC, and LDAP - Resolve attribute based on REST and MongoDB Of course that probably would be overkill, but you get my point, it is very flexible. Above which to use, I think is very much preference, I think that's why there are so many options :) We have use multiple authentication before, including LDAP and JDBC, which seems fast and reliable, no complain received after the deployment on PROD using these technology. We have tried REST, it is very slightly slower than just using LDAP or JDBC, but every seconds count, so would recommend one of the native approach if possible. > I am also curious to know the industry standard product for IAM & SSO? If possible, please share the technical stack used for the same. I am as curious as you do, if somebody else have more insight that's would be great! Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b263647-b213-4831-b6df-86f767b9b549%40apereo.org.
