[TYPO3-english] ​typo3 - saml 2.0 - cas-server - ldap - active directory

[patrick at bierans.de]

Hello list!

If my english sounds weird: It's not my native tongue - bear with me
please.

This one is an advanced setup question. I hope some real hackers are
reading
this. :) If you do not understand the basics of my question please don't
ask
me to explain it. No offence, I'm just short on time. But feel free to read
on
and follow this topic and learn on your own. ;)

I've spent a lot of time reading tons of stuff about software and protocols
(boss alread got picky a week ago ^^) but even my hottest candidates for
now
(simpleSAMLphp and ig_ldap_sso_auth) are not really convincing me yet.

So I want to ask you!

In short:

Multiple typo3 should auth against active directory.
To support SSO I want a CAS-server (with tickets) in between.
The communication should be server side for better protection.
Groups in active directory define access rights in typo3.
Security and stability must be extreme high. No DOS.
How?

In long:

I want multiple typo3 installations running latest 4.6 to talk in shib 1.3
or saml 2.0 with a php based cas-server which then talks ldap to an active
directory on latest windows server 2008 which holds account details and
group
assignments reflecting the roles/rights the user will have inside typo3.
So typo3 will assign AD-groups to typo3-usergroups. This has to work for
frontend-users and backend-users.

I have two more mirrors of the AD to be added to the CAS-server and I want
to add another CAS-server so I have enough redundancy to eliminate some
single-point-of-failures. DDOS-resistant typo3 sites - haha - that's of
lower
importance for now.

The communication typo3 <-> cas-server should run server side on local
ip range which would require CURL or something alike. All servers are in
the
same rack. So some header redirects send to the browser are to be avoided.

The communication cas-server <-> ldap should use local range ips too. So
that
the really important systems are not accessible from the "evil" outside.

The servers run the latest php5 with Suhosin and the latest debian squeeze.
All servers are VMs running on bold hardware under Xen. Webservers are
latest
apache2 behind an nginx; sometimes supported by lighttpd for static files.
All servers are in the same room or have local ip tunnels in between.

Ah! And I almost forgot: I have an OTRS to be connected to the CAS-server
too. For now I ignore that and hope to get that solved later.

Has anybody done that already for real?
Which typo3 plugin can do that with multiple CAS-servers - and server side?
Which CAS-server software would you use - and can it access multiple ADs?

Give me hard questions or good answers!
I have to kick it hard. So kick me. ;)

Let's have some fun!
Patrick

PS: You know somebody who can take this?
Please forward it to him as a challenge! ;)