Main Nav

We are in the process of implementing CAS at the University of Georgia. For anyone who is already up and running, would you be willing to share your system architecture and lessons learned?    

 

Thanks,

Pat

 

Patrick Wagman, PMP
OCIO Portfolio and Program Management Office

University of Georgia

480 East Broad, Suite 301-B
Athens Georgia 30601
Phone: 706-542-5694

 

Comments

Message from marvin.addison@gmail.com

> We are in the process of implementing CAS at the University of Georgia. For > anyone who is already up and running, would you be willing to share your > system architecture and lessons learned? Hello. We've been running CAS for many years now and I think we have some knowledge and best practices to share. Keep it simple. Determine the availability and capacity requirements needed to support the intended scope of enterprise SSO and design accordingly. Many folks immediately think of clustering when they consider a high availability design, but I would discourage against this for CAS. An active/standby CAS server that simply uses heap storage for tickets is arguably the simplest HA solution in terms of system architecture and CAS configuration. If your capacity requirements necessitate multiple CAS nodes, then an active/active setup will require you to consider a shared ticket store such as Ehcache, memcached, or a database. The choice of storage mechanism will likely be driven by institutional expertise as much as technical considerations, but for what it's worth we switched from a hot-standby PostgreSQL setup to memcached and haven't looked back. Approach client integration incrementally. While CAS integration is generally straightforward, the integration cost in man-hours can be high for some third-party applications/services that require custom integration or in cases where central IT supplements meager resources allocated to a client application (e.g. departmental apps). It would be wise to develop a workflow for bringing applications online to clarify the responsibilities of central IT resources; some helpful tangibles in that regard: institutional client integration documentation, integration/security policy requirements, SLA. I should also note that incrementally adding services to the SSO domain allows you to address performance or availability issues more gently. You'll find that once a handful of vital services are behind CAS, it becomes an essential service where downtime is intolerable. In the rare cases where CAS is unavailable here, my desktop and phone light up like Cape Canaveral at launch time. Consider security policy from the beginning. In addition to all the detailed CAS server configuration details like token expiration periods, you should consider high-level security policy matters. For example, will CAS offer attributes to services to support authorization scenarios? If yes, then what policy governs attribute release? What services will be allowed to use CAS? What criteria will be applied to applications to determine whether forced authentication is required? Will CAS support multiple credentials or authentication stores? If you would like further help, guidance, or feedback on CAS system architecture and capacity planning, please post to cas-user@lists.jasig.org and we'll be happy to go into further detail there. Best, M
From what I've seen, most implementations are composed of two machines either hot-hot or hot-warm. I've spent time with most of the ticket storage technologies mentioned on the CAS wiki and I can tell you that they all have pros and cons. You are going to have problems that are out of your control -> network, disk, vm, etc and some of the ticket storage technologies have issues during these times of distress. If you take Marvin's advice (which you should), you wouldn't need to bother with any of that stuff. Keeping your architecture as simple as possible lets you minimize the number of moving parts the service depends on. On hardware sizing, you can search the user list for threads because some people have provided benchmarks on that stuff. On monitoring, start with the RESTful web services to test the basics (authenticate, acquire service ticket, validation, sign out, etc) and then build from there. On service management, I suggest you create a simple webpage where web admins can request access to CAS for their website/app. They'd specify the purpose of the request, contact info, specific attributes they want returned via SAML, duration (if any), etc. This information would then be sent to the data owners and security department for approval before a CAS admin gets involved. On code layout, I recommend using the maven overlay model as described on the CAS wiki. When it is upgrade time, you'll still need to do some diffing between the new version of CAS against your customizations, but it helps keep things organized. Dan Young Enterprise Information Systems Georgia Institute of Technology --------------------------------------------------------------- We are in the process of implementing CAS at the University of Georgia. For anyone who is already up and running, would you be willing to share your system architecture and lessons learned? Thanks, Pat Patrick Wagman, PMP OCIO Portfolio and Program Management Office University of Georgia 480 East Broad, Suite 301-B Athens Georgia 30601 Phone: 706-542-5694 --
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.