Pasi, We had the same request. To accomplish this kind of things you can use CAS and SPNEGO. SPNEGO will accomplish the possibility to retrieve your identity after the login in your Windows PC (thru AD), CAS will implement the SSO on all the Web Sites you need to have access. I have implemented it in my office, and it works perfectly also mixing etherogenous environments (Java Web Apps, MS SharePoint Sites and .NET Sites). The advantage is that the user can just login to the machine, and move from a service to another without typing user and password each time. I guess it is a quite clever way to automate authentication over the web. Users seems to be very happy, also if some of them complain that in this way if they forget the session open, the others can use the service with no possibility to control this. For this reason we moved from original SPNEGO to a Form Based authentication from a .NET portal.
HTH. Stefano -----Original Message----- From: Pasi Kallioniemi [mailto:pasi.kallioni...@ipss.fi] Sent: Tuesday, 01 June, 2010 14:16 To: cas-user@lists.jasig.org Subject: [cas-user] CAS and autoauthentication (with AD) Hello all, this maybe a newbie question but I have hard time finding a solution for our scenario. Maybe someone here has pointers on is this possible to accomplish with CAS (or am I totally lost :) ): Scenario: - We have an user logged in company Active Directory network - The company has multiple web systems to a be added under SSO. - As the user is logged into his machine (and is authenticated to company Infra network), the user would not want to input again username/password to ANY login page. - Insted the user would like to point his/her browser to some address and get inside the system he wants. - The authentication would be done automatically against the users browser. We have accomplished the previous example for one system by doing some windows integrated authentication (with IIS+windows authentication+IE), but would like to have a more general way to have n-systems (on java&.net platform) working like this. Perhaps one possibility is to use CAS? Questions: - If I have understood correctly in the wiki, CAS can be integrated with for example for authenticating against AD, or some other source. So adding n-systems under SSO and authenticate users against AD would be ok with a single login page. - But is it necessary always to have the CAS login page? Is it possible to configure CAS to autoauthenticate user browser against AD? So the user logged inside AD would point browser to "https://caslogin.intra/?service=https://other_server/application1" and cas would authenticate the user and redirect to the actual application. If this scenario is possible with CAS, what would be the configuration? I'm a little bit lost with the need for such protocols as SPNEGO and Kerberos (when would you use spnego or kerberos?). I hope that I was not too confusing with this question, and thank you for any input. Best Regards, Pasi -- You are currently subscribed to cas-user@lists.jasig.org as: stefano.bra...@eurac.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user