Logins into the IDM should be integrated into shared CAS SSO realm with two exceptions:
- The account creation workflow
- The password restore workflow
We need to deploy a CAS configuration with which registers the service and deploy a configuration which registers the service in CAS SSO.
In addition the IDM needs to gain support for an SSO login. We have two other notable Django projects authenticating against CAS:
- Debmonitor uses an authentication layer using the mod_cas Apache module (but then still requires the Django-internal login which is LDAP-based)
- Netbox currently uses a Django authentication provider (django-cas-ng), but Netbox itself doesn’t support CAS, so support for it is added via a local patch. To reduce the delta to upstream releases of Netbox, work is under way to migrate away from django-cas-ng. Netbox 3.0.8 gained support for SSO logins with python-social-auth which supports multiple SSO backends, but currently not CAS. Instead support for CAS might either be added to python-social-auth or instead the Netbox login be switched to OIDC or OAuth2.
The debmonitor integration is legacy, so the IDM should follow the lead of Netbox and ideally follow the path chosen for it (resulting in shared knowhow/code).