Thanks Stephan and Jerome. The requirement is something like this. We have a product used by multiple customers. It is likely some of them have a CAS in their ecosystem and others may not. So we wanted to provide both modes of authentication. One way that i know we can accomplish is to define a parameter in the web.xml indicating if CAS is enabled or not. And present the appropriate login form.
Do you think there is an better alternative? Regards, Prasad From: Stephan Arts [mailto:sa...@cosmos.esa.int] Sent: 06 February 2015 13:37 To: cas-user@lists.jasig.org Subject: Re: [cas-user] designing a fallback authentication scheme Hi, I agree with Jérôme, the simplest and most robust solution is to have 2 (or in our case 4) CAS servers running in a cluster with a multi-master LDAP backend. Put a load-balancer in front of your CAS servers and you're done. Okay, on second thought... Maybe not the simplest, but it is very reliable. Regards, Stephan On 06/02/15 08:04, Jérôme LELEU wrote: Hi, I would not recommend to implement such a fallback mechanism on client side: it would be pretty complicated and you would lose all the benefits of a centralized authentication server (security, one link to the authentication source). Why not a failover with two CAS servers? It can be achieved pretty easily with a Virtual IP (http://linux-ha.org/wiki/Main_Page). In all cases, you must careful of your SPOF (Single Point Of Failure): is your LDAP resilient? Best regards, Jérôme LELEU Founder of CAS in the cloud: www.casinthecloud.com<http://www.casinthecloud.com> | Twitter: @leleuj Chairman of CAS: www.jasig.org/cas<http://www.jasig.org/cas> | Creator of pac4j: www.pac4j.org<http://www.pac4j.org> 2015-02-06 6:28 GMT+01:00 Prasad Katti <mahantesh.ka...@indecomm.net<mailto:mahantesh.ka...@indecomm.net>>: Hi All, we are using CAS authentication to implement SSO model. we are using the JSR 196 for the extending the JAAS authorization. As part of this we are also implementing a fall back mechanism in situations where CAS is not available. in situations where CAS is not available, we want to present a custom login form and authenticate the user against a pre-defined ldap realm. here's where we are having a problem. when the application redirects to cas application login, if ÇAS is not available, how to capture the same on redirection failure? one option is to check the connectivity by sending an HTTP Connect method to the server. we can then use the HTTP status code to determine if we have to invoke the fallback strategy. is there a built in way in cas that will accomplish the same? I am just trying to weigh different options. -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: lel...@gmail.com<mailto:lel...@gmail.com> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: sa...@cosmos.esa.int<mailto:sa...@cosmos.esa.int> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
