Thanks for picking this up, David. > A TGT is created to establish the Single Signon Session with the > client. An ST (service ticket) is created for a specific application > to enable retrieving the identity and attributes of the client (one time use). > > This picture might help: http://goo.gl/E75V7O
That picture represents the flow between client, CAS server and possible other services though, and I looked at that, but it doesn't really tell me about the flow inside the CAS server (which is where I'm having trouble understanding how things hang together). :-/ > There are a number of "CAS Clients" and each has a different way of > releasing the subject and attributes to the protected application. What is 'the subject'? Is that the principal object? If so, can the principal differ from the actual credentials used, for example, if I use an authenticator to authenticate 'b...@uni.edu', the principal would not necessarily be 'b...@uni.edu' or even 'bob', but perhaps 's55694', correct? That depends on the credential-to-principal resolver, right? > The "mod_auth_cas" apache module will use HTTP headers and also the > apache "REMOTE_USER" environment variable which can be used by apache > itself and is passed on in AJP proxying. Which client are you using? I don't know which one to use because I have various applications (some Java, some non-Java) and because I don't know what will be returned when. Hence my question. > This question comes up on occasion; others can answer better. I think > that in CAS 4.0, these steps (authentication and attribute retrieval) > are combined, so you don't have the same issue. If this is the case, then this might resolve my problem that I'm experiencing at the moment. So yeah, if one of the CAS devs could answer this one, that would be great. With Regards Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
