We have an application that does SSO between a "fat client" written in flex (running in flash plugin) and the browser. In our case, the flex application authenticates using the CAS RESTful API and then pushes the TGT into the browser's cookie cache using javascript (this is something of a simplification due to flex limitations.)
An alternative to pushing the TGT into the web browser that I can see would be to retrieve the ST (via the restful api) for the URL that you are trying to access via the browser and launch the browser with the ST attached. This won't help if you need to go from service to service within the browser. (All of this does run afoul of the "all authentication via the browser only" view). David Ohsie EMC Corporation > -----Original Message----- > From: Scott M. Holodak [mailto:[email protected]] > Sent: Monday, March 15, 2010 12:14 PM > To: [email protected] > Subject: RE: [cas-user] Does CAS offer SSO between web > applications AND a .NET fat client deployed with click once ? > > > Sure you could. In the local install (start menu) launch, the app > > could just request the user's credentials and authN > directly against > > CAS. > > The only problem with authenticating in the client app is that the > client app can't [easily] initiate an SSO session and pass > proxy tickets > back to web browsers. It would have to listen for a pgtIOU > from the CAS > server in order to be able to generate proxy tickets. On the other > hand, if all users start out on the web and end up in the app, the > browser that they started out in should have SSO between apps. Your > best bet might be to install shortcuts on the desktops that > point to the > ClickOnce deploy page. > > I say "can't easily" above because it _could_ be done, but is more > complicated. > > Let's rule out the possibility where the ClickOnce app would act as an > SSL-enabled web server which, aside from being nearly impossible > infrastructure-wise (business policy, firewalls, SSL cert/DNS, NAT > routing/UPnP issues), is very difficult to accomplish in a ClickOnce > app. Listening for HTTP traffic in a ClickOnce would require admin > rights and UAC considerations--ClickOnce+UAC is tricky. The app needs > to be signed with a commercial code-signing cert or a > code-signing cert > trusted by all possible clients. > > The only other viable option that I can think of is to setup a helper > web server to act as the PgtUrl on your client's behalf and takes care > of the PgtIou-to-Pgt ticket resolution during the validation. Your > client app would then need to check-in with the server a shortly after > validating the ticket to get the PGT back. I'm not familiar > enough with > the protocol to know whether this is possible/allowed. > > -Scott > > > -----Original Message----- > > From: William G. Thompson, Jr. [mailto:[email protected]] > > Sent: Monday, March 15, 2010 11:07 AM > > To: [email protected] > > Subject: Re: [cas-user] Does CAS offer SSO between web applications > AND > > a .NET fat client deployed with click once ? > > > > On Mon, Mar 15, 2010 at 10:27 AM, Scott M. Holodak > > <[email protected]> wrote: > > > Hi Damien, > > > > > > I'm not 100% sure about this, but I think the problem you will run > > into has to do with what the cookie store is. When you open up > Firefox > > and login to a CASified application, Firefox stores a > cookie which it > > presents to the CAS server when another web application needs to > > authenticate. However, if you open up Internet Explorer and connect > to > > that second web application, the cookie doesn't exist from IE's > > perspective and CAS forces you to re-authenticate. This is the same > > kind of problem that you're going to run into. > > > > > > It might be possible to work around this, but I'm not sure whether > > this would be considered a best practice from a security > perspective. > > If the ClickOnce deploy page is CASified (i.e., the user needed to > > login to your web app before they could click the link that launches > > the application), you could theoretically tweak that page to get a > > proxy ticket and pass it into the ClickOnce application via > querystring > > (see: http://msdn.microsoft.com/en-us/library/ms172242.aspx). Your > > application would then be able to parse the proxy ticket out and > verify > > it using HttpWebRequest or WebClient in the application > code. Keep in > > mind though that your users would always need to launch the > application > > from the web application in order to get the proxy ticket. In other > > words, you couldn't configure the ClickOnce app to allow local > > installations (Start Menu). It would always need to be launched > > through the CASified web app. > > > > > > Bill > > > > > > > > > > -ScottH > > > > > > > > >> -----Original Message----- > > >> From: Damien Azambourg [mailto:[email protected]] > > >> Sent: Monday, March 15, 2010 4:56 AM > > >> To: [email protected] > > >> Subject: [cas-user] Does CAS offer SSO between web > applications AND > > a > > >> .NET fat client deployed with click once ? > > >> > > >> Hello, > > >> > > >> We would like to know if CAS is able to offer a SSO > between, in one > > >> hand, web applications (J2EE, .NET) and, in the other > end, .NET fat > > >> client deployed with Click.Once of Microsoft and launched from a > > >> browser. > > >> > > >> Currently, the .NET fat client shows a form in the GUI of the fat > > >> client and communicates a login/pwd to IIS. > > >> > > >> In fact, we don't know how to do SSO between theses two worlds > (thin > > >> clients and fat clients) and we are hoping CAS can do it. > > >> > > >> Thanks and Regards, > > >> > > >> Damien > > >> -- > > >> You are currently subscribed to [email protected] as: > > >> [email protected] > > >> To unsubscribe, change settings or access archives, see > > http://www.ja- > > >> sig.org/wiki/display/JSG/cas-user > > > > > > -- > > > You are currently subscribed to [email protected] as: > > [email protected] > > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja- > > sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
