In partial answer to your question, generally most people either only use CAS rest or only the CAS protocol. If you want to mix the two the way we have done it (this was to make use of rest for login, and use the forgot password features of CAS) was to have the app doing the rest auth create the TGC cookie. They are on the same domain.
So auto log the user in without leaving forms or after registration using the rest protocol. If you want to have a SSO session in the user’s browser at that point then if you are on the same domain as the cas server then have your application create the TGC cookie. If you are on different subdomains you will need to change the cas tgc settings so that the domain is set to the high level domain instead. >From cas.properties: cas.tgc.path=/ cas.tgc.maxAge=-1 cas.tgc.domain=mydomain.com cas.tgc.name=CASTGC cas.tgc.secure=true cas.tgc.httpOnly=true There is tgc encryption. So either you would need to program your application to do the encryption exactly as is in the CAS code or turn the encryption off. If you do create the cas tgc cookie in your other app remember to set it to be http only and secure. If you are not on the same domain then I have no solution for mixing CAS REST with CAS protocol. You can always just do everything with the REST protocol. From: cas-user@apereo.org <cas-user@apereo.org> On Behalf Of Michael Kubovic Sent: Wednesday, January 9, 2019 8:39 AM To: CAS Community <cas-user@apereo.org> Subject: [cas-user] Evaluation of CAS features/suitability Hello al I'm evaluating Apereo CAS for our company and I have a few features that I'd like to discuss. I have a list of features that seem to be possible with CAS, I'd just need a little guidance on how to choose appropriate extension points/protocols. We have a several customer-facing PHP web apps and then several internal protected PHP services. I'm looking for a central authentication service that we could integrate to our environment and bring in the SSO between the customer-facing web apps. For existing customers, ability to authenticate during checkout process (product customisation) without leaving the form, before the order is submitted (AJAX, ROPC, iframe…) At this point, it's not necessary to have SSO session, the application can authenticate user using REST or OAuth2 ROPC. It will leave user without SSO session, but that's fine for us during the checkout process. We need a way for guests, to auto-create SSO session after submitting the order (auto-login after registration) Fairly basic use-case, user just gave our webapp his credentials. We can leverage UMA to create a user, so far so good. But at this point we'd like to do a browser redirect to CAS domain to acquire SSO cookie and then back to choose payment method. The same mechanism that I'm missing here may be used for above scenario to convert webapp security session to a full SSO session after user submits order form. A chain of redirects can safely happen at this point. I have found a discussion https://groups.google.com/forum/#!topic/jasig-cas-user/_hxJtQA_KM4<https://groups.google.com/forum/#!topic/jasig-cas-user/_hxJtQA_KM4> where a user suggests https://github.com/epierce/cas-server-extension-token<https://github.com/epierce/cas-server-extension-token>. Is this an officially recommended solution? Alternative approach I'm thinking about: Docs say<https://apereo.github.io/cas/4.2.x/installation/Configuring-SSO-Session-Cookie.html> that "What this means is, logging in to a non-SSO-participating application via CAS nonetheless creates a valid CAS single sign-on session that will be honored on a subsequent attempt to authenticate to a SSO-participating application." And that makes me think about leveraging REST protocol to webapp<->CAS user authentication. Once I got TGT, I store it securely in application session and once redirect can occur, e.g. user submits the form, I'd like to redirect user to CAS and let CAS use that TGT to create the TGC cookie. Is there a way? Rate-limiting failed login attempts, counted per ip address and separately per username Docs say that Throttling is supported, it just does not state whether it's possible to employ both strategies at the same time. After user gets blocked out by reaching limit per username, allow them to unblock their account through email link sent their contact email address Also I'd need a way to unblock the user. If the information about blocked user is stored in a datasource, I could unblock the user by over-writing the right piece of information from other service, but this does not sound right. Geoip protection, allow whitelisting countries I see some notes on adaptive authentication, but don't see any extension points here to provide per-user configuration. What would be the recommended way to deal with this? Ip whitelist, allow only whitelisted networks, ip addresses Same as above, adaptive authentication could be used, but the per-user configuration seems missing. Ability to request a special email link to ublock the acount by altering security settings for the feature that caused the block (add ip address to whitelist, add country to whitelist, reset login-based failed attempts login limit) I'd like to be able to create a standalone service, or extend CAS to provide this functionality. The former seems easier to achieve however I'm not sure whether there is a CAS-supported way to generate one-time time-constrained links that other service could send by email and validate later. Forgotten password recovered through sms Forgotten login recovered by a matching phone number and sms code As I understood from docs, CAS contains a limited management of user credentials and it is recommended to redirect user to a standalone application. That seems reasonable, could it be a user interface of our custom identity management service? Authentication with API keys that allow our customers to manage our products via REST API (not a delegated authentication scheme, just a list of revokable, time-constrained API Keys per user) At first it seemed to me that a JWT Authentication could be used, but since JWT can't be simply revoked, it's probably not the best fit, maybe something like a "service account" validated through REST Authentication would do? Any help is appreciated. Michael -- - Website: https://apereo.github.io/cas<https://apereo.github.io/cas> - Gitter Chatroom: https://gitter.im/apereo/cas<https://gitter.im/apereo/cas> - List Guidelines: https://goo.gl/1VRrw7<https://goo.gl/1VRrw7> - Contributions: https://goo.gl/mh7qDG<https://goo.gl/mh7qDG> --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dbcf8210-006d-4196-9bda-1ef3bba20561%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/dbcf8210-006d-4196-9bda-1ef3bba20561%40apereo.org?utm_medium=email&utm_source=footer>. CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain confidential, privileged and/or proprietary information which is solely for the use of the intended recipient(s). Any review, use, disclosure or retention by others is strictly prohibited. If you are not an intended recipient, please contact the sender and delete this e-mail, any attachments and all copies. Permanent General Assurance Corporation | Permanent General Assurance Corporation of Ohio | The General Automobile Insurance Company, Inc. | Old American County Mutual Fire Insurance Company | Home Office: 2636 Elm Hill Pike, Nashville, TN 37214 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR06MB2370CCC27DDF414E00B49165A88B0%40BN6PR06MB2370.namprd06.prod.outlook.com.