Hi Damien, I'm not 100% sure about this, but I think the problem you will run into has to do with what the cookie store is. When you open up Firefox and login to a CASified application, Firefox stores a cookie which it presents to the CAS server when another web application needs to authenticate. However, if you open up Internet Explorer and connect to that second web application, the cookie doesn’t exist from IE's perspective and CAS forces you to re-authenticate. This is the same kind of problem that you're going to run into.
It might be possible to work around this, but I'm not sure whether this would be considered a best practice from a security perspective. If the ClickOnce deploy page is CASified (i.e., the user needed to login to your web app before they could click the link that launches the application), you could theoretically tweak that page to get a proxy ticket and pass it into the ClickOnce application via querystring (see: http://msdn.microsoft.com/en-us/library/ms172242.aspx). Your application would then be able to parse the proxy ticket out and verify it using HttpWebRequest or WebClient in the application code. Keep in mind though that your users would always need to launch the application from the web application in order to get the proxy ticket. In other words, you couldn't configure the ClickOnce app to allow local installations (Start Menu). It would always need to be launched through the CASified web app. -ScottH > -----Original Message----- > From: Damien Azambourg [mailto:[email protected]] > Sent: Monday, March 15, 2010 4:56 AM > To: [email protected] > Subject: [cas-user] Does CAS offer SSO between web applications AND a > .NET fat client deployed with click once ? > > Hello, > > We would like to know if CAS is able to offer a SSO between, in one > hand, web applications (J2EE, .NET) and, in the other end, .NET fat > client deployed with Click.Once of Microsoft and launched from a > browser. > > Currently, the .NET fat client shows a form in the GUI of the fat > client and communicates a login/pwd to IIS. > > In fact, we don't know how to do SSO between theses two worlds (thin > clients and fat clients) and we are hoping CAS can do it. > > Thanks and Regards, > > Damien > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
