Hi,
I'm very new to CAS/SSO, and where wondering about its design choise.
I'd be grateful if someone has the time to explain:
I gather CAS flow is essentially:
- Browser authenticates to the SSO server, and receives a reusable TGC cookie.
- With this TGC, it can now obtain one-time ST's (ST per application).
- With the ST, the browser can connect to the application (the ServletFilter
validate the ST against the SSO server).
Now, I had a look at OpenSSO. I'm a newbie there too, but I *think* OpenSSO has
a shorter flow, kind of like a "reusable ST" shared for all applications:
- Browser authenticates to the SSO server, and receives a reusable SsoToken
cookie.
- With this SsoToken, the browser can connect to all applications (the
ServletFilter validates the SsoToken against the SSO server).
So I was wondering - why did CAS designers prefer the more 'sophisticated' flow?
The best I could come up with was, that if some eavedropping Bad Guy gets hold
of an ST (in CAS), he can only break into a single application, and even that
requires speed and luck (because ST is one-time)... but then again, if Bad Guy
gets hold of the TGC, he can still break into all applications, can't he...? So
that is the advantage ?
Thanks!
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
