sol myr wrote: > > Sorry for being vague - we'd like the client to obtain a Kerberos > ticket, use it to log into the SSO server, which would validate the > Kerberos ticket and then allow the client to access the business > application. > > When the SSO server is specifically CAS, it feels like lots of > indirection and round-trips (involving both Kerberos ticket *and* CAS > TGC)...
Yes, but these roundtrips are only done once per session. > So I wondered whether it's really what people do (assuming they want > Kerberos)? In the CAS project I'm currently doing for a customer we decided to go for CAS and implement Kerberos with AD with an automatic fall-back to LDAP-based authc against AD if Kerberos did not work for any reason. Also in another CAS deployment at the same customer a completely different authc database is used. But in any case the application developers and the server operators only have to know the CAS mechanisms. > Or is there some magical "trick" to issue only one ticket (kerberos) and > skip the extra TGC? You can directly integrate your web servers with Kerberos. This can be more tricky since you might have to either "kerberize" PHP applications, compile Apache modules etc. It depends on your server landscape. At the project mentioned above we decided to avoid the hassle. Your mileage may vary. Ciao, Michael. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
