In your organization you might have several applications that have their own authentication stores. And that means, for 10 different applications in the organization you would have 10 different set of credentials for each person. Pretty complicated for the poor employee. No to mention the plight of IS guys and CIO.
Most of you would have Active Directory in your organization that is being used for authentication by employees. You can make all the applications inside the organization talk to AD for authentication. That would certainly reduce the overhead to a great extent.
2 problems with this approach:
1. You might not want to expose your AD to applications running outside your organization.
2. This mechanism does provide same user ID and password to all applications but it still does not provide single sign on. Employee will have to log on to each application that s/he wants to access.
CAS can help solve this. CAS is an authentication system that your applications can delegate authentication to. CAS in turn can help you be very flexible with authentication stores that it can use and can provide single-sign-on.
In this post I will help you guys set up a CAS server running on ubuntu server and integrate it with an Active Directory server running on Windows 2008 R2.
To set up a quick PoC environment you can set it up on AWS EC2 instances.
Following are assumed before we start. You have:
1. Basic familiarity with Linux
2. Basic familiarity with Windows and LDAP/Active Directory
3. Basic familiarity with Java
4. Basic familiarity with Maven
5. Basic familiarity with Tomcat
Above diagram shows the happy flow for a single authentication request. Any subsequent requests for Application by the client will not go to CAS server as long as the client has a valid ticket.
Also any other applications that are part of the same infrastructure will honor the CAS ticket and client need not get authenticated.
If you have more than 1 authentication store they can all be behind CAS server and can authenticate clients. Active Directory store in the diagram above can be replaced by any other store without impacting the clients or applications.
In the next part I will give the steps necessary to set up the infrastructure with a CAS server that will authenticate your clients against an Active Directory.
Most of you would have Active Directory in your organization that is being used for authentication by employees. You can make all the applications inside the organization talk to AD for authentication. That would certainly reduce the overhead to a great extent.
2 problems with this approach:
1. You might not want to expose your AD to applications running outside your organization.
2. This mechanism does provide same user ID and password to all applications but it still does not provide single sign on. Employee will have to log on to each application that s/he wants to access.
CAS can help solve this. CAS is an authentication system that your applications can delegate authentication to. CAS in turn can help you be very flexible with authentication stores that it can use and can provide single-sign-on.
In this post I will help you guys set up a CAS server running on ubuntu server and integrate it with an Active Directory server running on Windows 2008 R2.
To set up a quick PoC environment you can set it up on AWS EC2 instances.
Following are assumed before we start. You have:
1. Basic familiarity with Linux
2. Basic familiarity with Windows and LDAP/Active Directory
3. Basic familiarity with Java
4. Basic familiarity with Maven
5. Basic familiarity with Tomcat
Request flow diagram
Above diagram shows the happy flow for a single authentication request. Any subsequent requests for Application by the client will not go to CAS server as long as the client has a valid ticket.
Also any other applications that are part of the same infrastructure will honor the CAS ticket and client need not get authenticated.
If you have more than 1 authentication store they can all be behind CAS server and can authenticate clients. Active Directory store in the diagram above can be replaced by any other store without impacting the clients or applications.
In the next part I will give the steps necessary to set up the infrastructure with a CAS server that will authenticate your clients against an Active Directory.
No comments:
Post a Comment