Dean, Lets back up a step and explain what the expiration policy on the different service tickets mean.
ST EXPIRATION POLICY ST are granted whenever a user is redirected to the CAS server due to a CAS protected application not recognizing him/her. Once a ST is granted, there should be a small window of time of when the user needs to present it to the originating application for use in validating the user's identity. The ST shouldn't really expire unless you have a ridiculous small window and there is network congestion. TGT EXPIRATION POLICY One a user is logged in, they received a TGT, which is used to prove s/he has logged into CAS. The only individuals who will ever see the TGT are the CAS server and the user it was granted for. When the TGT expires, they will be required to login. By default, CAS is configured with an idle-based expiration policy for TGTs. PT / PGT EXPIRATION POLICY These are merely equivalents of ST and TGT; just proxied. I must admit we don't use the proxy authentication feature, but it should work similarly to ST and TGT. QUESTIONS: 1. Yes, TGT expiration = SSO expiration 2. Yes, TGT expired = User must login as nothing should validate HTH, A- On 6/30/09 12:02 PM, "deanhe01" <[email protected]> wrote: > > I am looking for clarification on the timeout dependency chain on the > ST/TGT/ProxyTickets > > My limited understanding of the sequence of events is(happy path...not the > unhappy one): > > User Hits a CAS protected page for the first time > User is redirected to the CAS login page > User Credentials are submitted to CAS > CAS generates a TGT > CAS generates a ST > CAS authenticates USER > ST is validated > User is redirected to the original URL > > Now, the user is merrily skipping along through the application... > > User accesses a service that requires a proxy ticket > The application uses the TGT to grab a proxy ticket > Proxy ticket is supplied to the service > The service validates the PT > User is happy and continues skipping along through the app > > Let's say the Service Ticket times out i.e. the SSO session expires. > > The user accesses a service that requires a proxy ticket > The application attempts to use the TGT to acquire a proxy ticket. > When the SSO session expires, all associated tickets are expired as well, > correct? > The user will be asked to log in again and a new ST and TGT will be > provided by CAS. It is the > application's responsibility to manage this scenario. > > > Default Service SSO session expiration time == TGT expiration time? > > Final question: > > Proxy Ticket is granted. > TGT expires before Proxy Ticket is used > Proxy Ticket is invald and the service being proxied will not validate > the PT? > > Thanks, > > Dean -- Andrew Feller, Analyst LSU University Information Services 200 Frey Computing Services Center Baton Rouge, LA 70803 Office: 225.578.3737 Fax: 225.578.6400 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
