The short answer is yes, this is possible. Unicon has worked with a client who did exactly what you've described. Back in the day (circa 2005) when I was at Rutgers we implemented the shared secret solution.
This isn't directly supported in the current Jasig CAS distribution. The raw materials are mostly there...but you'll need some custom work to complete the solution. This make me think again that extended attributes, PGT, ClearPass, etc could all be included in the validation response as long as the client is authenticated/authorized (via whatever means). Best, Bill On Mon, Apr 29, 2013 at 7:35 AM, Fernando Valente <fernandolv.so...@gmail.com> wrote: > Hello, > i´m testing the CAS solution in a company environment and my first > impressions were very good. We managed to casify both weblogic server 10.3.5 > and netweaver 7.3. The single sign on and the proxy ticket scenarios worked > very well. > > Then we started planning how this solution would work in a clustered > production environment. And we notice that we would need distributed cache on > the client side because,according to the documentation of CAS 2.0 Protocol, > the service that wants to play the role of proxy is responsible for > persisting the PGT IOU and the PGT, and this PGT is received through a call > request to the callballProxyURL. > > Reason(taken from the http://www.yale.edu/tp/auth/cas20.html): > > "This indirection is necessary to let CAS validate the service using its > server certificate, which was deemed the simplest way to provide for mutual > authentication, in the field, of services. Custom certificates, and locally > shared secrets, are other options, but both were deemed less convenient." > > So, my question is: Could I implement a 2 way ssl handshake between the > client and the server instead of the indirection described above? This way > the mutual authentication would still happen and PGT IOU/proxyCallbackUrl > wouldn't be necessary. So the PGT would be retrieved in the service > validation instead of the PGT IOU, and the client would put the PGT in the > user session and normal session replication could be used in a clustered > environment, ending the need of a distributed cache in the cient side. > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: wgt...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
