[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pear-general
Subject:    Re: [PEAR] LiveUser with CAS / LDAP
From:       Brett Bieber <brett.bieber () gmail ! com>
Date:       2015-01-29 22:25:08
Message-ID: CAF6z_LL4Dgw1bj9838pgh5bGR-3uYgSUdbC6mBh3Jvfryys9XQ () mail ! gmail ! com
[Download RAW message or body]


Hi,

On Thu Jan 29 2015 at 1:15:30 PM Stephanas Francis <cheenu.1973@gmail.com>
wrote:

> Dear all,
>
> In my organization, we have been using two locally developed PHP / MySQL
> applications beside Moodle, Koha and Bugzilla: all of them having their own
> local authentication. Where possible, we have our custom scripts to sync up
> the authentication information among these applications.
>
> The two locally developed applications I referred above make use of
> LiveUser package to implement authentication as well as permission
> framework.
>
> At this point, we need to implement Single Sign-On. We are considering CAS
> and LDAP. I understand from google search that Moodle, Koha and Bugzilla
> will work with CAS as well as LDAP. But I request your advice and guidance
> on how to go about migrating our PHP / PEAR based applications to SSO.
> Specifically, following questions are in our mind:
>
> 1. What will be a good architecture / combination to use - CAS / LDAP /
> LiveUser based customized permission management.
>

CAS is a very simple protocol for outsourcing SSO AuthN. AuthZ is quite a
different beast.

LDAP is typically great for "common login," but not true SSO.

We have a mixture of apps using direct LDAP, AD, as well as federated SSO
using ADFS, WS-FED, CAS & SAML 2.0 protocols, but are requiring all new
software to use SAML 2.0 or CAS.


> 2. Can LiveUser's authentication framework be used with CAS and / or LDAP?
>

It sounds like your AuthZ is all contained in LiveUser already?

If that's the case, LiveUser can use PEAR's Auth containers, adding an
authentication handler that supports the CAS protocol is pretty easy. I did
the same thing for some of our custom applications that were using
PEAR::Auth.

Here's that code:
https://github.com/unlpear/UNL_Auth

If you're looking to the future, and you're in education or higher-ed (with
Moodle, I assume you are) — I would strongly encourage you to look at SAML,
and a SAML IdP. In particular, Shibboleth. Higher Ed is pretty set on using
SAML for federated SSO, and it would make sense to explore that option if
you're interested in future collaboration or agile adoption of SaaS in the
Education market.

Hopefully some of that helps,

-Brett


[prev in list] [next in list] [prev in thread] [next in thread]