On Tue, Sep 27, 2011 at 2:51 PM, Tillinghast, Andrew P. < atill...@conncoll.edu> wrote:
> As to what happens when CAS is down that's two fold: > 1) We use Google API's to allow our web based password change tools to Sync > our passwords to Google. This allows end users to use devices such as their > iPhone to access gmail via secure IMAP. > We're currently setting up Google's DirSync tool, so they'll get a hashed version of the same password as the LDAP server that feeds CAS. We had the expected security debates internally, but there's really no way to get around IMAP access for mobile devices. It's too bad that Google doesn't provide a way to use third party authentication sources for that. > 2) Second we're preparing to cluster our on site datacenter with an > off-site data center to support critical functions like email, accounting > and our LMS. In the mean time, our CAS login to access google mail is as > reliable, if not more so, then when we hosted our own email servers. > We're just starting to work on offsite redundancy for CAS and other services. We have a colo setup to act as a hot site, and CAS will be one of the first things to move there (expect more questions about clustering!). We may need to investigate some kind of stop-gap measures between single-point-of-failure and super-mega-awesome-cluster-time. I've spoken to other schools who consider the password sync as a viable fallback when their SSO service is down. I don't really like the idea of exposing Google's native login UI, but it would be better than not having access to your email. Off the top of my head, the only ways I can think to handle that during a CAS outage would be: 1. Manually login to the Google Apps control panel and change the SSO settings, or 2. Script an offsite monitoring system do it via Google's admin API. Meh. Graceful failover to the offsite data center would be awesome, but some of the comments I've read on list make that sound pretty darned scary :-) -Aaron --------------------------------- Aaron Fuleki Senior Web Architect Denison University 740.587.5752 --------------------------------- -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user