On Tue, Jun 30, 2009 at 1:25 PM, deanhe01 <[email protected]> wrote:
> > Thanks Scott, > > The protocol document is concise and after reading it I guess the better > questions are: > > An Expired Single Sign On session cascades ticket expirations to the TGT > and unused Proxy Tickets? > > > i.e. same behaviour as an explicit logout of CAS? Yes, if a TGT is expired, every ticket issued based on that TGT is also considered invalid. Cheers, Scott > > > > deanhe01 wrote: > > > > I am looking for clarification on the timeout dependency chain on the > > ST/TGT/ProxyTickets > > > > My limited understanding of the sequence of events is(happy path...not > the > > unhappy one): > > > > User Hits a CAS protected page for the first time > > User is redirected to the CAS login page > > User Credentials are submitted to CAS > > CAS generates a TGT > > CAS generates a ST > > CAS authenticates USER > > ST is validated > > User is redirected to the original URL > > > > Now, the user is merrily skipping along through the application... > > > > User accesses a service that requires a proxy ticket > > The application uses the TGT to grab a proxy ticket > > Proxy ticket is supplied to the service > > The service validates the PT > > User is happy and continues skipping along through the app > > > > Let's say the Service Ticket times out i.e. the SSO session expires. > > > > The user accesses a service that requires a proxy ticket > > The application attempts to use the TGT to acquire a proxy ticket. > > When the SSO session expires, all associated tickets are expired as > > well, correct? > > The user will be asked to log in again and a new ST and TGT will be > > provided by CAS. It is the > > application's responsibility to manage this scenario. > > > > > > Default Service SSO session expiration time == TGT expiration time? > > > > Final question: > > > > Proxy Ticket is granted. > > TGT expires before Proxy Ticket is used > > Proxy Ticket is invald and the service being proxied will not validate > > the PT? > > > > Thanks, > > > > Dean > > > > > > -- > View this message in context: > http://www.nabble.com/Looking-for-Clarification-on-ST-TGT-ProxyTicket-timeouts-tp24275776p24276180.html > Sent from the CAS Users mailing list archive at Nabble.com. > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
