Thanks Scott, The protocol document is concise and after reading it I guess the better questions are:
An Expired Single Sign On session cascades ticket expirations to the TGT and unused Proxy Tickets? i.e. same behaviour as an explicit logout of CAS? deanhe01 wrote: > > I am looking for clarification on the timeout dependency chain on the > ST/TGT/ProxyTickets > > My limited understanding of the sequence of events is(happy path...not the > unhappy one): > > User Hits a CAS protected page for the first time > User is redirected to the CAS login page > User Credentials are submitted to CAS > CAS generates a TGT > CAS generates a ST > CAS authenticates USER > ST is validated > User is redirected to the original URL > > Now, the user is merrily skipping along through the application... > > User accesses a service that requires a proxy ticket > The application uses the TGT to grab a proxy ticket > Proxy ticket is supplied to the service > The service validates the PT > User is happy and continues skipping along through the app > > Let's say the Service Ticket times out i.e. the SSO session expires. > > The user accesses a service that requires a proxy ticket > The application attempts to use the TGT to acquire a proxy ticket. > When the SSO session expires, all associated tickets are expired as > well, correct? > The user will be asked to log in again and a new ST and TGT will be > provided by CAS. It is the > application's responsibility to manage this scenario. > > > Default Service SSO session expiration time == TGT expiration time? > > Final question: > > Proxy Ticket is granted. > TGT expires before Proxy Ticket is used > Proxy Ticket is invald and the service being proxied will not validate > the PT? > > Thanks, > > Dean > > -- View this message in context: http://www.nabble.com/Looking-for-Clarification-on-ST-TGT-ProxyTicket-timeouts-tp24275776p24276180.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
