Johan, Gottcha! Thank you very much for your insights. John
-----Original Message----- From: J R on behalf of Johan Reinalda Sent: Thu 2/26/2009 1:22 PM To: [email protected] Subject: Re: [cas-user] newbie question: Google Apps, MS-AD and other attribute RE: [cas-user] newbie question: Google Apps, MS-AD and other attributeYes, we are moving more to OSS, and away from the custom development we've been doing for the past decade. We have a Moodle site deployed for elearning, are using Drupal for user documentation, and are looking at several of the portals out there. And our students/alumni have been using GoogleApps for over 2 years now. All support CAS (or Shib) Johan ----- Original Message ----- From: [email protected] To: [email protected] Sent: Thursday, February 26, 2009 10:57 AM Subject: RE: [cas-user] newbie question: Google Apps, MS-AD and other attribute Considering that you are mostly a Microsoft shop was there something in particular about CAS that lead you to pursue that over the .NET Memberships and roles framework? -----Original Message----- From: J R on behalf of Johan Reinalda Sent: Thu 2/26/2009 10:21 AM To: [email protected] Subject: Re: [cas-user] newbie question: Google Apps, MS-AD and other attribute RE: [cas-user] newbie question: Google Apps, MS-AD and other attributeJohn, It is somewhat hard to quantify, as this is not a full time project, and happens as we find chunks of time :-) I am actually more of a network&linux integration engineer then a programmer, and have not involved our devs yet (they are the asp/asp.net people). I would guess that after having on and off read up on SSO over the past few months, I've spent about 20-30 hours to get to the point where we had basic SSO talking to MS-AD, Drupal and a test Google setup. Most of the early time was spent getting familiar with CAS and the CAS wiki (This excludes building the basic dev servers, single Xen domU for SSO, single VMware for MS-AD, and another Xen domU for drupal/moodle testing) Johan ----- Original Message ----- From: [email protected] To: [email protected] Sent: Wednesday, February 25, 2009 5:21 PM Subject: RE: [cas-user] newbie question: Google Apps, MS-AD and other attribute Johan, I am working on a team currently evaluating CAS as a SSO solution for multiple php web applications. I was wondering how much time your team has invested into getting to where you have a demo online? How much time spent learning about CAS, how much time and effort learning enough about Java and Fastbind. Our architecture differs a little in that all web apps have their own user repositories but your info/experiences will surely shed some light. Thank you, John -----Original Message----- From: J R on behalf of Johan Reinalda Sent: Wed 2/25/2009 6:30 PM To: [email protected] Subject: [cas-user] newbie question: Google Apps, MS-AD and other attribute All, We are implementing a demo CAS environment, to see how it would work serving as an SSO platform for our web apps. We are traditionally a Asp/Asp.net windows environment, with additional experience in unix/linux with php and perl, but learning java (hopefully) as we go... So far, we have a basic setup working, talking to MS Active Directory as the account store, using the Fastbind example in the wiki (http://www.ja-sig.org/wiki/display/CASUM/Active+Directory). We have a drupal install authenticating to it as quick test app that talks CAS. Now, we are trying to get this working with GoogleApps, and we have created a test domain at GApps for that. Integration works, but is using the username of the object (sAMAccountName attribute in AD terms) What we will need is to use the email address, as stored in the "mail" attribute. Digging around the maillist archives, it looks like this is possible (http://www.nabble.com/Adding-data-to-SAML-response-(was-Passing-Google-apps-alternate-username)-to19446161.html#a19446161). Looking at CAS3.3.1 source, in cas-server-core/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java we see in line 163/164 samlResponse = samlResponse.replace("<USERNAME_STRING>", getPrincipal() .getId()); This seems to be the code that assigns the username to the SAML response, but we have no idea how to go from here :-( (ie how to get it to read the mail attribute and assign it here.) Any suggestions would be much appreciated. For completeness, this is runnin on CentOS5.2, Tomcat 6.0.18, CAS-Server 3.3.1 Thanks in advance! Johan Reinalda Thunderbird School of Global Management Glendale, AZ, USA -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
