Hello, Thanks for your answers.
Here are some news about our attempt to do SSO between a .NET fat client and web applications: We'd followed some advices. About the others, we keep them in mind such as what is done with flex and CAS RESTful API. In fact, fortunately, the user must always go to a J2EE portal which will be CASifyied. Once authenticated, users can launched underlying applications such the dotNET fat client. And fortunately again, the fat client must always be launched from this portal (so from IE). As a consequence, we can give a proxy ticket as QueryString of the launch URL of the FatClient as suggested and which will be validated in back-end by calling CAS. More details below. So, we have 3 applications : 1. A J2EE application acting as a business portal and allowing to go to the 2 following applications. 2. A dotNet application divided in 2 parts : a dotNet Fat Client deployed with ClickOnce and requesting web services hosted on IIS. =>Currently, the user authenticates on dotNet fat client GUI by giving a ID/Password sent by SSL to IIS. He doesn't authenticate on IIS pages. 3. Another J2EE application... User must go to the portal first and then go to the underlying applications such as the dotNet application The following lines concerns only the CAS, the Portal and the dotNet applications (fat client and IIS): 0. User goes to a CASifyied J2EE application which should act as a business Portal 1. User is redirected to CAS web site because he is not authenticated 2. User authenticates on CAS web site 3. User is redirected to the Portal which currently shows only a link to run the .NET fat client 4. By clicking on it, User calls redirect.jsp page of the Portal which calls "assertion.getPrincipal().getProxyTicketFor(http://myIIS/myfatclient)" and then redirects the user with Location response header to : http://myIIS/myfatclient.application?PT=TS-xxx giving PT ticket in QueryString 5. .NET Fat client is downloaded and started on the workstation. Now, we are outside IE. At start, the client sends PT ticket by calling a Web Service on IIS 6. On IIS, in Web service code, the DotNetCASClient.dll (0.2) is used to ask the user ID to CAS server with the help of the given PT and the service http://myIIS/myfatclient.application by using DotNetCASClientProxyValidate.Authenticate method About this, have you got comments about this ? Did we miss something about CAS ? We keep on working on our tests with CAS and we will ask new questions today on another subject. Thanks and regards, Damien > Message du 21/03/10 23:37 > De : [email protected] > A : [email protected] > Copie à : > Objet : RE: [cas-user] Does CAS offer SSO between web applications AND a .NET > fat client deployed with click once ? > > > We have an application that does SSO between a "fat client" written in > flex (running in flash plugin) and the browser. In our case, the flex > application authenticates using the CAS RESTful API and then pushes the > TGT into the browser's cookie cache using javascript (this is something > of a simplification due to flex limitations.) > > An alternative to pushing the TGT into the web browser that I can see > would be to retrieve the ST (via the restful api) for the URL that you > are trying to access via the browser and launch the browser with the ST > attached. This won't help if you need to go from service to service > within the browser. > > (All of this does run afoul of the "all authentication via the browser > only" view). > > David Ohsie > EMC Corporation > > > > -----Original Message----- > > From: Scott M. Holodak [mailto:[email protected]] > > Sent: Monday, March 15, 2010 12:14 PM > > To: [email protected] > > Subject: RE: [cas-user] Does CAS offer SSO between web > > applications AND a .NET fat client deployed with click once ? > > > > > Sure you could. In the local install (start menu) launch, the app > > > could just request the user's credentials and authN > > directly against > > > CAS. > > > > The only problem with authenticating in the client app is that the > > client app can't [easily] initiate an SSO session and pass > > proxy tickets > > back to web browsers. It would have to listen for a pgtIOU > > from the CAS > > server in order to be able to generate proxy tickets. On the other > > hand, if all users start out on the web and end up in the app, the > > browser that they started out in should have SSO between apps. Your > > best bet might be to install shortcuts on the desktops that > > point to the > > ClickOnce deploy page. > > > > I say "can't easily" above because it _could_ be done, but is more > > complicated. > > > > Let's rule out the possibility where the ClickOnce app would act as an > > SSL-enabled web server which, aside from being nearly impossible > > infrastructure-wise (business policy, firewalls, SSL cert/DNS, NAT > > routing/UPnP issues), is very difficult to accomplish in a ClickOnce > > app. Listening for HTTP traffic in a ClickOnce would require admin > > rights and UAC considerations--ClickOnce+UAC is tricky. The app needs > > to be signed with a commercial code-signing cert or a > > code-signing cert > > trusted by all possible clients. > > > > The only other viable option that I can think of is to setup a helper > > web server to act as the PgtUrl on your client's behalf and takes care > > of the PgtIou-to-Pgt ticket resolution during the validation. Your > > client app would then need to check-in with the server a shortly after > > validating the ticket to get the PGT back. I'm not familiar > > enough with > > the protocol to know whether this is possible/allowed. > > > > -Scott > > > > > -----Original Message----- > > > From: William G. Thompson, Jr. [mailto:[email protected]] > > > Sent: Monday, March 15, 2010 11:07 AM > > > To: [email protected] > > > Subject: Re: [cas-user] Does CAS offer SSO between web applications > > AND > > > a .NET fat client deployed with click once ? > > > > > > On Mon, Mar 15, 2010 at 10:27 AM, Scott M. Holodak > > > wrote: > > > > Hi Damien, > > > > > > > > I'm not 100% sure about this, but I think the problem you will run > > > into has to do with what the cookie store is. When you open up > > Firefox > > > and login to a CASified application, Firefox stores a > > cookie which it > > > presents to the CAS server when another web application needs to > > > authenticate. However, if you open up Internet Explorer and connect > > to > > > that second web application, the cookie doesn't exist from IE's > > > perspective and CAS forces you to re-authenticate. This is the same > > > kind of problem that you're going to run into. > > > > > > > > It might be possible to work around this, but I'm not sure whether > > > this would be considered a best practice from a security > > perspective. > > > If the ClickOnce deploy page is CASified (i.e., the user needed to > > > login to your web app before they could click the link that launches > > > the application), you could theoretically tweak that page to get a > > > proxy ticket and pass it into the ClickOnce application via > > querystring > > > (see: http://msdn.microsoft.com/en-us/library/ms172242.aspx). Your > > > application would then be able to parse the proxy ticket out and > > verify > > > it using HttpWebRequest or WebClient in the application > > code. Keep in > > > mind though that your users would always need to launch the > > application > > > from the web application in order to get the proxy ticket. In other > > > words, you couldn't configure the ClickOnce app to allow local > > > installations (Start Menu). It would always need to be launched > > > through the CASified web app. > > > > > > > > > Bill > > > > > > > > > > > > > > -ScottH > > > > > > > > > > > >> -----Original Message----- > > > >> From: Damien Azambourg [mailto:[email protected]] > > > >> Sent: Monday, March 15, 2010 4:56 AM > > > >> To: [email protected] > > > >> Subject: [cas-user] Does CAS offer SSO between web > > applications AND > > > a > > > >> .NET fat client deployed with click once ? > > > >> > > > >> Hello, > > > >> > > > >> We would like to know if CAS is able to offer a SSO > > between, in one > > > >> hand, web applications (J2EE, .NET) and, in the other > > end, .NET fat > > > >> client deployed with Click.Once of Microsoft and launched from a > > > >> browser. > > > >> > > > >> Currently, the .NET fat client shows a form in the GUI of the fat > > > >> client and communicates a login/pwd to IIS. > > > >> > > > >> In fact, we don't know how to do SSO between theses two worlds > > (thin > > > >> clients and fat clients) and we are hoping CAS can do it. > > > >> > > > >> Thanks and Regards, > > > >> > > > >> Damien > > > >> -- > > > >> You are currently subscribed to [email protected] as: > > > >> [email protected] > > > >> To unsubscribe, change settings or access archives, see > > > http://www.ja- > > > >> sig.org/wiki/display/JSG/cas-user > > > > > > > > -- > > > > You are currently subscribed to [email protected] as: > > > [email protected] > > > > To unsubscribe, change settings or access archives, see > > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > > > You are currently subscribed to [email protected] as: > > > [email protected] > > > To unsubscribe, change settings or access archives, see > > http://www.ja- > > > sig.org/wiki/display/JSG/cas-user > > > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > Laposte.net, Messager Officiel du Rallye des Gazelles 2010, Pour suivre le Rallye Aicha des Gazelles et soutenir les participantes, cliquez ici http://www.laposte.net/rallye-des-gazelles -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
