Hello Marvin and Scott, First of all thank you for replying.
To answer Scott first; we were planning on giving out our findings, lessons learned and such when we finish this project. We understand that Open Source can't thrive when people don't contribute. One of the additions we've made for instance is the extraction of encrypted passwords from a PeopleSoft database and checking them against encrypted passwords entered by the user logging in. Since PeopleSoft passwords can't be decrypted we were forced to do it this way (which is more safe anyway). As for SAML; if SAP were to do an assertion towards CAS with a ticket, wouldn't CAS be able to send an attribute back with the username (or any other value of interest) so that SAP then could do its internal party of authentication and authorizations? Or am I mistaken as to how SAML works in this setup? Maybe some more information is needed; We've setup CAS as our front end login form to users accessing PeopleSoft CRM. From within PeopleSoft it is then needed to access different HR systems using SSO. Those should be routed through CAS via serviceValidate or samlValidate. This works with PeopleSoft in combination with an HR product from PI-AG and the serviceValidate part of CAS. The options for authentication on SAP are; - SAP logon tickets (can only be issued by a SAP system) - SAML 1.1 - HTTP Headers - Kerberos/SPNego - Client Certificates The first and last option are no options, those require either a SAP system or user actions to be able to get through, which we don't want with SSO. For a Proof of Concept we tried using HTTP Headers with an Apache webserver setup as reverse proxy. This did work but we don't have a sound feeling for the security of this solution and it doesn't go through CAS either. This goes around our goal in trying to achieve one authentication authority within this setup. This leaves SAML and Kerberos, which I am investigating now. SAML seemed the best option, research may prove Kerberos to be better. I don't know yet. Kind regards, John -----Original Message----- From: Scott Battaglia [mailto:[email protected]] Sent: woensdag 20 januari 2010 5:41 To: [email protected] Subject: Re: [cas-user] multiple authentication methods John, As Marvin said, I'm not sure our out-of-the-box support would necessarily help you. If you were willing to work with us (i.e. get the integration code contributed as open source) we could probably collaboratively come up with something that would work. Cheers, Scott -----Original Message----- From: Marvin Addison [mailto:[email protected]] Sent: dinsdag 19 januari 2010 15:47 To: [email protected] Subject: Re: [cas-user] multiple authentication methods > SAP are not eager to make custom changes for SAP so I'm left with the > login modules that SAP provides. Out of these options the one with SAML > seems the best one, also because when we upgrade the PeopleSoft system > (in planning already), we can use SAML for that too. I am doubtful you'll be able to get SAP working by using the SAML support in CAS. The primary reason that SAML 1.1 was added to CAS was to support attribute release and single sign-out for CAS clients. I would imagine SAP wants to receive an AuthenicationStatement from CAS, which is not supported; CAS only sends AttributeStatements in response to a service ticket that is successfully validated at /samlValidate. What are the other integration options for SAP? M Please help Logica to respect the environment by not printing this email / Pour contribuer comme Logica au respect de l'environnement, merci de ne pas imprimer ce mail / Bitte drucken Sie diese Nachricht nicht aus und helfen Sie so Logica dabei, die Umwelt zu schützen. / Por favor ajude a Logica a respeitar o ambiente nao imprimindo este correio electronico. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
