> On Feb 8, 2016, at 8:14 PM, Robert <[email protected]> wrote: > > Our current Production Setup > > For CAS3.x.x having SSL was not required to support Single Sign On. This was > perfect as we have Reverse Proxy Servers fronting our Application Server farm > and it took care of providing all TLS for our user facing interface. All > handshake between the reverse-proxy server and JBOSS/ IBM WAS server farm was > “as if” no SSL was in place. This also helped us immensely in terms of > performance, as all SSL encryption/decryption was handled on our Reverse > Proxy Servers. And helped cut cost for our clients in terms of maintaining > and purchasing certificates to bare essential. >
All of that still true in CAS4. > > > Now, we are trying to work with CAS4 > > We found out that it requires HTTPS or else Single Sign On just won’t work. > HTTPS is always required by default. How you satisfy that requirement remains the same across all CAS versions. There are not considerations on the CAS side to dictate a particular form of container configuration. > Can you help us understand as to how do we make this new solution work within > our production sites? > > 1. Will this not force us to have certificates deployed on each > and every Application Server? How do we make our clients understand the cost > benefit of doing so when having Reverse Proxy Fronting was already taking > care of this? > > 2. What happens where the server farms are running behind 3-Zone > architecture? > > 3. What would be performance hit on Application Server when during > peak load the server would also have to deal with TLS over and above the work > that it is currently supposed to be handling? > > > > Can we turn off this HTTPS requirement to support SSO with CAS4? If so can > you help us as to where to begin. > You can enable SSO without HTTPS. This is of course a bad idea. > > Our situation has become very urgent, so we don't mind if we have to write > Java code and change XML configuration. > > > > Thanks for your help. > > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > <https://groups.google.com/a/apereo.org/group/cas-user/>. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
