The answers to these questions are complicated but I will attempt to simplify:
Q: CAS is definitely an Authorization service. I’m not sure it qualifies as an Identity Management service.
A: Agreed. CAS is actually not authorization. It is authentication. CAS is listed as IDM because it is one of the tools that can be used to integrated systems to be able to use NetID. If you have an application that you would like to authenticate using NetID, CAS of one of the tools available to do that.
Q: Given the increased adoption of AD, what is the long term plan for CAS? Is there a convergence between the two services planned? If CAS is to continue, is there a documented way that we can address the secondary authorization question for sites and services using CAS using group membership?
A: CAS is a pass through mechanism for Authenticating NetID’s. Currently it points at LDAP but it can be pointed of AD as well. AD and LDAP are synchronized so either will handle authentication for NetID’s. CAS only does authentication. It does not do authorization. Therefore it does not take advantage of groups. If you have an application that needs external authorization (groups), it would need to be integrated with AD or LDAP.
Q: Where does LDAP fit into the service boundaries of CAS and AD?
A: CAS is tied to the NetID SLA in terms of boundaries in that it authenticates NetID’s.
I realize the answers to these questions are confusing/complicated. If you have additional questions regarding how to authenticate or authorize an application or system using NetID, please put in a service request and we will walk you through the options.