I can' speak for OpenSSO as I don't know their protocol, but we have the notion of both a TGT and the ST. The TGT is ONLY shared between the browser and the CAS server so that nothing else has acess to the SSO session. STs are issued to each application to allow them a one time token for authentication (so they can't try and pretend the person requested access later).
In addition, allowing an application to redirect to CAS to obtain a ST vs. reading a shared cookie allows CAS to support applications across a diverse range of domains instead of just under the same domain. -Scott On Thu, Feb 19, 2009 at 5:34 AM, sol myr <[email protected]> wrote: > Hi, > > I'm very new to CAS/SSO, and where wondering about its design choise. > I'd be grateful if someone has the time to explain: > > I gather CAS flow is essentially: > - Browser authenticates to the SSO server, and receives a reusable TGC > cookie. > - With this TGC, it can now obtain one-time ST's (ST per application). > - With the ST, the browser can connect to the application (the > ServletFilter validate the ST against the SSO server). > > Now, I had a look at OpenSSO. I'm a newbie there too, but I *think* OpenSSO > has a shorter flow, kind of like a "reusable ST" shared for all > applications: > - Browser authenticates to the SSO server, and receives a reusable SsoToken > cookie. > - With this SsoToken, the browser can connect to all applications (the > ServletFilter validates the SsoToken against the SSO server). > > So I was wondering - why did CAS designers prefer the more 'sophisticated' > flow? > The best I could come up with was, that if some eavedropping Bad Guy gets > hold of an ST (in CAS), he can only break into a single application, and > even that requires speed and luck (because ST is one-time)... but then > again, if Bad Guy gets hold of the TGC, he can still break into all > applications, can't he...? So that is the advantage ? > > Thanks! > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
