If something is fronting CAS that is terminating SSL, you should be able to indicate to the servlet container hosting CAS that it really is a secure connection. Does that not work? (sorry I can't remember the specifics of it)
On Mon, Feb 8, 2016 at 12:52 PM, Robert <[email protected]> wrote: > Hi Misagh, > > Thanks for your reply. > > How can we enable SSO without HTTPS? > > > On Monday, February 8, 2016 at 12:20:57 PM UTC-5, Misagh Moayyed wrote: >> >> >> On Feb 8, 2016, at 8:14 PM, Robert <[email protected]> wrote: >> >> *Our current Production Setup* >> >> For CAS3.x.x having SSL was not required to support Single Sign On. This >> was perfect as we have Reverse Proxy Servers fronting our Application >> Server farm and it took care of providing all TLS for our user facing >> interface. All handshake between the reverse-proxy server and JBOSS/ IBM >> WAS server farm was “as if” no SSL was in place. This also helped us >> immensely in terms of performance, as all SSL encryption/decryption was >> handled on our Reverse Proxy Servers. And helped cut cost for our clients >> in terms of maintaining and purchasing certificates to bare essential. >> >> >> All of that still true in CAS4. >> >> >> >> *Now, we are trying to work with CAS4 * >> >> We found out that it requires HTTPS or else Single Sign On just won’t >> work. >> >> >> HTTPS is always required by default. How you satisfy that requirement >> remains the same across all CAS versions. There are not considerations on >> the CAS side to dictate a particular form of container configuration. >> >> Can you help us understand as to how do we make this new solution work >> within our production sites? >> >> 1. Will this not force us to have certificates deployed on >> each and every Application Server? How do we make our clients understand >> the cost benefit of doing so when having Reverse Proxy Fronting was already >> taking care of this? >> >> 2. What happens where the server farms are running behind >> 3-Zone architecture? >> >> 3. What would be performance hit on Application Server when >> during peak load the server would also have to deal with TLS over and above >> the work that it is currently supposed to be handling? >> >> >> >> Can we turn off this HTTPS requirement to support SSO with CAS4? If so >> can you help us as to where to begin. >> >> >> You can enable SSO without HTTPS. This is of course a bad idea. >> >> >> Our situation has become very urgent, so we don't mind if we have to >> write Java code and change XML configuration. >> >> >> Thanks for your help. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/. >> >> >> -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
