Shi's suggestion is a good one, and boils down to the following: This is a per-service authorization need, and it is up to CAS clients to do authorization.
Shi pointed out that CAS can help in this regard by providing arbitrary attributes, which your clients could leverage as needed. We have implemented this strategy for the very use case you mentioned, level of identity assurance. You can review our source as a starting point to see what you'd need to do, https://projects.iad.vt.edu:8443/svn/middleware/cas/cas-server/trunk/vt-cas-server-ext/src/main/java/edu/vt/middleware/cas/authentication/. We chose to use the LOA vocabulary from http://www.oasis-open.org/committees/download.php/28706/sstc-saml-loa-authncontext-profile-draft-01.pdf since it looks like it could become a SAML standard. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
