Information Technology Reference
In-Depth Information
CAS Server Configuration and the “Two-Layer Protocol
Architecture”
Here are some tips for setting up CAS as your SSO server.
Tip 1 : Cater for high availability of the IAM solution
IAM can become the single point of failure for all your applications unless
you take steps to ensure its availability. You would of course set up your
directory in a replicated configuration, and your database is also likely to be
set up in HA (High Availability) mode. But what about the SSO server?
CAS servers are stateless (i.e., they maintain no data in session state), so
there is no need to cluster them. A load-balanced configuration is sufficient
to provide high availability. Any standard hardware-based load-balancer will
do nicely, as shown below:
Fig 18: SSO load-balancing
Tip 2 : Don't reveal your SSO implementation through your domain naming
scheme
As the diagram above suggests, keep your domain names technology-
neutral. When an application's interceptor redirects a browser to CAS, the
browser will display the URL of the CAS server (or more correctly, the URL of
the load-balancer) at the top of the SSO login page. As long as this says
something neutral like “sso.myorg.com” and not “cas.myorg.com”, it will not
provide any clues about the actual product being used to implement SSO. It
is prudent to avoid revealing details of your organisation's implementation in
case a hacker exploits a known vulnerability in the product at some future
date.
 
Search WWH ::




Custom Search