Hi Prasad, I think that would be a good solution for what you are describing. I was under the impression you were referring to a fallback scenario in case your own CAS server was not available.
Regards, Stephan On 06/02/15 09:50, Mahantesh Prasad Katti wrote: > > Thanks Stephan and Jerome. The requirement is something like this. We > have a product used by multiple customers. It is likely some of them > have a CAS in their ecosystem and others may not. So we wanted to > provide both modes of authentication. One way that i know we can > accomplish is to define a parameter in the web.xml indicating if CAS > is enabled or not. And present the appropriate login form. > > Do you think there is an better alternative? > > Regards, > > Prasad > > *From:*Stephan Arts [mailto:sa...@cosmos.esa.int] > *Sent:* 06 February 2015 13:37 > *To:* cas-user@lists.jasig.org > *Subject:* Re: [cas-user] designing a fallback authentication scheme > > Hi, > > I agree with Jérôme, the simplest and most robust solution is to have > 2 (or in our case 4) CAS servers running in a cluster with a > multi-master LDAP backend. Put a load-balancer in front of your CAS > servers and you're done. > > Okay, on second thought... Maybe not the simplest, but it is very > reliable. > > Regards, > > Stephan > > On 06/02/15 08:04, Jérôme LELEU wrote: > > Hi, > > I would not recommend to implement such a fallback mechanism on > client side: it would be pretty complicated and you would lose all > the benefits of a centralized authentication server (security, one > link to the authentication source). > > Why not a failover with two CAS servers? It can be achieved pretty > easily with a Virtual IP (http://linux-ha.org/wiki/Main_Page). In > all cases, you must careful of your SPOF (Single Point Of > Failure): is your LDAP resilient? > > Best regards, > > > Jérôme LELEU > > Founder of CAS in the cloud: www.casinthecloud.com > <http://www.casinthecloud.com> | Twitter: @leleuj > > Chairman of CAS: www.jasig.org/cas <http://www.jasig.org/cas> | > Creator of pac4j: www.pac4j.org <http://www.pac4j.org> > > 2015-02-06 6:28 GMT+01:00 Prasad Katti > <mahantesh.ka...@indecomm.net <mailto:mahantesh.ka...@indecomm.net>>: > > Hi All, > > we are using CAS authentication to implement SSO model. we are > using the JSR 196 for the extending the JAAS authorization. As > part of this we are also implementing a fall back mechanism in > situations where CAS is not available. in situations where CAS is > not available, we want to present a custom login form and > authenticate the user against a pre-defined ldap realm. > > here's where we are having a problem. when the application > redirects to cas application login, if ÇAS is not available, how > to capture the same on redirection failure? one option is to check > the connectivity by sending an HTTP Connect method to the server. > we can then use the HTTP status code to determine if we have to > invoke the fallback strategy. is there a built in way in cas that > will accomplish the same? I am just trying to weigh different options. > -- > You are currently subscribed to cas-user@lists.jasig.org > <mailto:cas-user@lists.jasig.org> as: lel...@gmail.com > <mailto:lel...@gmail.com> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > <http://www.ja-sig.org/wiki/display/JSG/cas-user> > > -- > > You are currently subscribed tocas-u...@lists.jasig.org > <mailto:cas-user@lists.jasig.org> as:sa...@cosmos.esa.int > <mailto:sa...@cosmos.esa.int> > > To unsubscribe, change settings or access archives, > seehttp://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > mahantesh.ka...@indecomm.net > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to cas-user@lists.jasig.org as: > sa...@cosmos.esa.int > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user