No. It’s not. You need a PT for the API domain.
From: [email protected] [mailto:[email protected]] On Behalf Of Destiny Child Sent: Sunday, December 20, 2015 3:01 AM To: CAS Community <[email protected]> Subject: [cas-user] CAS server cross subdomain ST ticket I have own Jasig CAS server: https://cas.example.com Also, I have two subdomains(applications) connected to this CAS server, for example: https://ui.example.com https://api.example.com I can successfully create ST ticket for https://ui.example.com with a following request: https://cas.example.com/login?service=https://ui.example.com response: https://cas.example.com/?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com/ but I'm unable to use this ticket for https://api.example.com <https://api.example.com> https://api.example.com/api/v1.0/account?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com with a following error: access to this resource is forbidden","errors":[{"field":"BadCredentialsException","message":"\n Ticket \u0027ST-5-p5rVK3OWBKPzwAAZteNw-cas-dev.cfwdev.com\u0027 does not match supplied service. The original service was \u0027https://ui.example.com/\u0027 and the supplied service was \u0027https://api.example.com/api/v1.0/account This is my service configuration: { "@class" : "org.jasig.cas.services.RegexRegisteredService", "serviceId" : "^(http?|https?)://.*example.com/.*", "name" : "example.com dev "theme" : example "id" : 20000002, "description" : "example.com dev environment", "proxyPolicy" : { "@class" : "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy", "pattern" : "^(http?|https?)://.*example.com/.*" }, "evaluationOrder" : 2, "usernameAttributeProvider" : { "@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" }, "logoutType" : "BACK_CHANNEL", "attributeReleasePolicy" : { "@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy", "principalAttributesRepository" : { "@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository" }, "authorizedToReleaseCredentialPassword" : false, "authorizedToReleaseProxyGrantingTicket" : false }, "accessStrategy" : { "@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled" : true, "ssoEnabled" : true } } Is it possible to issue one ST ticket that will be accepted by both of these subdomains https://ui.example.com and https://api.example.com ? -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
