What are the differences between CAS (Central Authentication Service) and Keycloak (Identity and Access Management)?
CAS doesn't support OAuth2 but Keycloak does. It is a big difference.
Related
I see that many tools around authentication do not support integration with CAS. (e.g. AWS Cognito)
Is CAS deprecated for new projects? I'm deciding if I should support CAS IdP for my new SaaS project or not.
No, CAS authentication protocol is not deprecated. CAS authentication protocol is still active based on https://apereo.github.io/cas/development/protocol/CAS-Protocol-Specification.html. Most CAS IdPs such as Apereo's CAS Server support other protocols such as SAML and OAuth2. I would adopt these authentication protocols before the CAS authentication protocol.
My 2 cents.
CAS
Apache Shiro
I need to know the difference between CAS & Apache Shiro.
Are they both used for Single Sign On or does Apache Shiro depend on CAS for authentication
Shiro is a security framework. CAS is a platform for enterprise Single SignOn. Shiro does not depend on CAS, and neither does CAS depend on Shiro. Shiro supports CAS so that you can use Shiro in your applications to authenticate via a CAS server, and CAS uses Shiro to allow you to authenticate to a variety of backend sources. They are both very different from each other.
How can we secure the communication between Orion and Cygnus?
How can we use cygnus with a protected Orion (pep is deployed above Orion broker)?
Thanks and best regards.
There are several ways of securing Orion->Cygnus communications:
Co-locate Orion and Cygnus in the same host, so all comunication are through localhost network interface (this solution assumes that the host itslef is properly secured, of course).
Using a firewall (e.g. iptables) so Cygnus port can be reached only from the IP where Orion runs.
Using HTTPS notifications. In order to use this option take into account that:
Cygnus should be able to receive notifications in HTTPS. I'm not fully sure about Cygnus capabilities with this regards, but my colleague #frb could provide more detail.
You need Rush to send notifications in HTTPS with Orion.
You can also explore the posibility of using a PEP proxy for Cygnus. You only need to secure one operation at Cygnus: POST /v1/notifyContext. Have a look to the PEP official documentation.
UPDATE: since verion 1.7.0, Orion implements native HTTPS notifications (i.e. without needing Rush).
If CAS is based on cookies, then will it work after disabling cookies? And can we manage CAS SSO using session management API?
Cookies are required for SSO. Not for authentication.
Im trying to make my Bonita account authentication openID- enable login through a google account.
Here http://documentation.bonitasoft.com/single-sign-cas they provide the way of doing it("Configure Bonita client for CAS"). My question is: how should I get the following parameters specified in the link: ip_address:port from google(gmail)?
as probably noticed, im newly to be in this section. Any help will be deeply appreciated.
Bonita BPM will not interact with OpenID protocol out of the box.
However it supports the CAS protocol in the subscription editions.
What you probably need to do is to configure your CAS server to act as an authentication proxy.
Here is how it could work in theory (not sure it is feasible):
Bonita BPM relays user authentication to your CAS server using the CAS protocol.
Your CAS server delegates the user authentication to an OpenID provider such as google. Here is how you could activate OpenID support on the CAS server:
http://jasig.github.io/cas/4.0.x/protocol/OpenID-Protocol.html
An alternative solution could also be to implement a specific Bonita authentication service for OpenID (this requires Java development). In that case you would no longer need CAS. I know for a fact that this is possible.
Be aware that both solutions are technically not trivial to put in place.
Cheers,
You can integrate the BonitaBPM Subscription Edition with a Jasig CAS server:
http://documentation.bonitasoft.com/single-sign-cas-0
The CAS server can be configured to get it's authentication from OpenID as can be found here:
http://jasig.github.io/cas/4.0.x/protocol/OpenID-Protocol.html
I could integrate Bonita Community 7.7.4 with Apereo CAS. Details are here: https://github.com/sparse91/bonita-community-cas.