Choices, choices, choices: CAS or OpenID?

With RubyCAS and Ruby-OpenID you have two choices to enable authentication for your application.

But which choice is the best one? Or rather the correct one? That depends on your usage scenario.

RubyCAS and OpenID solve, roughly, two different problems:

  • Single Sign On
  • User account management
Solving the Single Sign On problem
This is RubyCAS' strength. If you want to offer multiple applications to your users (be it on the internet, or in an intranet), RubyCAS is the better choice. Since it allows proxy authentication, users only have to sign into their account once, and all applications available to them can be used without retyping their credentials when switching applications.

This is the classic environment prompting the need for SSO solutions in general, and RubyCAS fits the bill (especially since it provides Authenticators for common enterprisey storage solutions, like LDAP).

Simplifying sign up
This is where OpenID shines. User's only have to maintain one set of credentials, and can use it whereever they can log in with OpenID. This is a big bonus for you. No need to store passwords, you can automate account creation at the first sign in of your users (you can request account data like passwords, nicknames, first and last names, etc.), and don't have to worry ( alot) about validation of this data. The user's OpenID provider took care of that for them.

You can of course offer them an OpenID services with your application, allowing them to use the credentials they use for your application to login everywhere else.

However, it seems that OpenID doesn't allow proxy authentication out of the box (you could add it, or maybe the next version will provide support for that, but that is difficult to do in an essentially untrusted network, which leads to things like Kerberos).

So, what should you use?

If you are user-centric, use RubyCAS. Examples of user-centric scenarios would be Google Apps for Domains: One account for all these services.

If you are application-centric use OpenID. Users will only use one or few applications you offer, and you can thusly simplify the process for them, by cutting the amount of username/password credentials your users have to maintain drastically.

Remember, though, that OpenID is not an ID verification service! If you plan to use OpenID in an intranet, you should have users use an OpenID server you provide on the intranet, and not have them authenticate via, say This also allows you to fine-tune the data stored with OpenID accounts, for example organizational units, supervisors, etc.

As you can see, there is no single correct answer. Neither RubyCAS nor Ruby-OpenID are silver bullets, solving all your account problems. It is a question of what fits your usage-scenario the best.


Anonymous said...

Another option for deploying OpenID for an intranet is JanRain's OpenID for Domains:

This is a hosted solution that is pretty quick and easy to deploy:

Anonymous said...

Why does it have to be either/or? Is there anything that stops you from using CAS for the "Single" and OpenID for the "Sign-On" part? I.e. use OpenID to log in to the CAS server.


Unknown said...

Brian, while this is interesting, it is not always a good idea to host something as sensitive as usernames and passwords externally, at least in an intranet. Not to mention that you might be punching a hole into a network that shouldn't talk to the outside world, ever.

However, it is an interesting option.

jwmittag: Why bother? If you use Single Sign On somewhere, you already have some kind of central user storage. Why make that more complicated than necessary, by adding a CAS authenticator to authenticate via OpenID? KISS principle, DRY principle, and probably YAGNI, too. ;)

One solution is less work load to maintain, easier to extend, and easier to administrate. Not to mention that it is easier to create fail-over solutions for just one authentication service.

If you are talking about a mixed-mode scenario, where you want to offer users the option to sign in once via OpenID, you'll have to do some hacking, but it is possible.

As I said in an earlier post: RubyCAS (and CAS in general), allows for custom authenticators, so the option is there.

欧兰辉 said...

I just translate your aritcle in Chinese. Please visit Please let me know if you do not like.

Unknown said...

Feel free to translate. :)