> I'm creating a spring webapp that I need to be able to authenticate to via > CAS but once I've got a CAS ticket, I need to be able to restrict access > based on active directory groups.
You'll want to leverage service management with SAML attribute release. On the server side, you'll want to configure an attribute repository that gets group membership data from AD, https://wiki.jasig.org/display/CASUM/Attributes. You'll also need to ensure that the target service has permission to have attributes released to it via the services management console. Once you get the server set up to release attributes, you'll want to use the SAML 1.1 validator on the client, https://wiki.jasig.org/display/CASC/JASIG+Client+SAML+Saml11TicketValidationFilter+Example, to request a SAML payload containing attributes from the server. From there, it's up to client machinery to extract the attributes from the CAS assertion and leverage them for authorization. Spring Security makes this straightforward, for example, but it's by no means the only choice. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
