I understand CAS session handling have nothing to do with Application session for end users, but there IS a session per user/ticket granted on CAS side? I'd say you only need to maintain the mapping between them (ticket granted <-> user) and that's what I thought Ticket store does.
Regarding SLO, why don't assume the same thing? CAS only needs to take care of invalidate/expire/remove ticket granted for a user login off and let applications take care of their own part (invalidating their own, etc). javier -----Original Message----- From: William G. Thompson, Jr. [mailto:wgt...@gmail.com] Sent: Thu 6/21/2012 1:17 PM To: cas-dev@lists.jasig.org Subject: Re: [cas-dev] CAS Session management On Wed, Jun 20, 2012 at 5:14 PM, Javier Fradiletti <jfradile...@k12.com> wrote: > > Hi, > I am evaluating CAS for a high-load/enterprise scenario. > One of the big questions I have is what's the session management at server > side that CAS does, what do mantains, what expect to receive from customer, > etc. CAS wants to maintain and control the WebSSO session in the form of the TicketGrantingTicket and a TGTId which is shared between the user-agent and the CAS server in the form of a secure cookie. CAS is not an application session manager in that it is the responsibility of the applications to maintain and control their own application sessions. Once authentication is completed, CAS is typically out of the picture in terms of the application sessions. This is blurred a bit if you are using Single Log Out support. With SLO, a CAS logout event will end the WebSSO session and attempt to end associated application sessions via a backchannel http call. SLO comes with bunch of challenges in an enterprise wide deployment scenario. https://fed-lab.org/best-practises/single-logout/ http://tinyurl.com/82uxgcq Best, Bill > > > Just as an fyi, I am looking at a stateless authentication > mechanism/framework/component, or as much statless it can be, for several > reasons (backward compatibility to what we have today, > maintanability/clustering/HA considerations, RESTful API ready, among others). > > I've tried the basics, with configuring and trying the RESTful samples > provided in the wiki and everything seems to work fine (minus a problem I am > having with the Pyhthon example, not being redirected to the initial > protected resource). > > Thanks and will be great to receive more generic feedback about the product. > > Rgds, > > javier > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: wgt...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: jfradile...@k12.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
