> how can I > just get CAS LDAP + Spring Security to keep all of the defined > groups/associations in the directory.acme.com and propagate them to > the client
Using the CAS attribute release feature, http://www.ja-sig.org/wiki/display/CASUM/Attributes, you can release arbitrary user attributes, e.g. LDAP group membership, to CAS services at service ticket validation time. I believe the Spring Security component you need is GrantedAuthorityFromAssertionAttributesUserDetailsService, which is part of the CAS integration module of Spring Security 3.0 and later. It's very important to use Saml11TicketValidationFilter, http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml, otherwise your client will not receive attributes from CAS. Once you get this working, it would be great if you could contribute a working example to http://www.ja-sig.org/wiki/display/CASC/Using+the+CAS+Client+3.1+with+Spring+Security. M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user