How to auto-provision accounts when Confluence is using JASIG CAS SSO for authentication?

Hello,

I have CASified my Confluence 5 installation for single sign-on (SSO), and I was wondering if folks out there had solutions to auto-provision accounts.

CAS works, but if the user does not already have a local Confluence account with the UID set as the username, then a redirect loop occurs between the CAS client and the CAS server.

Example:

• CAS username = johndoe
• CAS UID = 1000
• Confluence username = 1000 (MUST be this or things break)

Questions:

1. Are there solutions to auto-provision accounts?
2. There is an LDAP server in my organization where I can get UIDs from. Is LDAP my only option to auto-provision accounts before users' first login?
3. Or is there simple way to modify the CAS client so that it will create a new Confluence user account for any successfully authenticated CAS user that does not already exist? Anyone else out there doing this on a large scale?

Side note and tip on CAS and Confluence integration:

• To get JASIG CAS 3.3+ client to work with Confluence, there is an undocumented option that must go in your seraph-config.xml file:

  • <authenticator class="org.jasig.cas.client.integration.atlassian.Confluence35CasAuthenticator"/>

  • The "35" in the above line is undocumented and required for things to work in newer CAS client builds. This is not reflected in the JASIG article here: https://wiki.jasig.org/display/CASC/Configuring+Confluence+with+JASIG+CAS+Client+for+Java+3.1

Thanks!