Okay, so I'm not thinking straight at 5:45 am CST. Sorry CAS is designed very similarly to the Kerberos protocol. The idea of using two types of tickets allows CAS to be secure because only the user and CAS know about the SSO cookie (TGT) while applications can negotiate with CAS for users' credentials through a one-time use token (ST). If we had a single token that both server and application used, then it would take a single compromised service to capture that token and then masquerade as the user across that SSO enabled system not just a single application.
I have looked at other SSO systems (A-Select, Pubcookie, Cosign, etc) but not OpenSSO, so I don't know if this magic token is really a ST with infinite uses that is passed around or if it is a TGT that applications use. Either way, these are bad ideas; I cannot imagine how they implement SSOut. When I get my head on, I can read more on this and reply later. A- -- Andrew Feller, Analyst LSU University Information Services 200 Frey Computing Services Center Baton Rouge, LA 70803 Office: 225.578.3737 Fax: 225.578.6400 -----Original Message----- From: sol myr [mailto:[email protected]] Sent: Thu 2/19/2009 4:34 AM To: [email protected] Subject: [cas-user] comparing the flow of CAS versus OpenSSO Hi, I'm very new to CAS/SSO, and where wondering about its design choise. I'd be grateful if someone has the time to explain: I gather CAS flow is essentially: - Browser authenticates to the SSO server, and receives a reusable TGC cookie. - With this TGC, it can now obtain one-time ST's (ST per application). - With the ST, the browser can connect to the application (the ServletFilter validate the ST against the SSO server). Now, I had a look at OpenSSO. I'm a newbie there too, but I *think* OpenSSO has a shorter flow, kind of like a "reusable ST" shared for all applications: - Browser authenticates to the SSO server, and receives a reusable SsoToken cookie. - With this SsoToken, the browser can connect to all applications (the ServletFilter validates the SsoToken against the SSO server). So I was wondering - why did CAS designers prefer the more 'sophisticated' flow? The best I could come up with was, that if some eavedropping Bad Guy gets hold of an ST (in CAS), he can only break into a single application, and even that requires speed and luck (because ST is one-time)... but then again, if Bad Guy gets hold of the TGC, he can still break into all applications, can't he...? So that is the advantage ? Thanks! -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
