Dear all, We have quesions about flows around CAS and about our own production rules we have to follow about Internet applications which are hosted in our DMZ. In fact, we have identified 2 kind of flow : 1st. flows between the user and CAS server or a CAS-ified application 2nd. flows between CAS Server and a CAS-ified application
The 1st kind of flow is not a problem : the user uses the Internet address of CAS server and of CAS-ified applications. But the 2nd one annoys us: The flows corresponding to the 2nd kind of flow are : 2a. Call from a CAS-ified application to CAS Server to validate a ticket service. 2b. Call from CAS server to a CAS-ified application to push proxy granting ticket to /proxy/receptor. 2c. Call from CAS server to a CAS-ified application about Logout Request for Single-Sign-Out. According to our production rules, thoses calls (server to server) must not go throught Internet zone. They must be done directly server to server by opening internal route et port on firewall if needed and by using different addresses only reachable internally but not from Internet. For example, users uses https://mycasifiedapp.mycorp.com/ and https://cas.mycorp.com/cas/ But CAS server and CAS-ified servers calls each other with internal addresses or server IP addresses. For example, https://cas-s2s.dmz.com/validate and https://mycasifiedapp-s2s.dmz.com/proxy/receptor Note: s2s meaning server-to-server About theses flows, we have seen that: 2a.It seems to be possible to set another address than the Internet address of the CAS Server with the casServerLoginUrl parameter. =>But, is it really suitable to do this ? 2b.It seems to be possible to set another address than the Internet address of the CAS-ified application with the proxyCallbackUrl parameter. =>But, is it really suitable to do this ? 2c.It seems not possible because the URL used to send the Logout Request is the service URL of the CAS-ified application which is the Internet address. =>Did we miss a parameter? In summary : Is it possible to set different address for theses calls between CAS server and CAS-ified applications than the Internet addresses ? Else, do we have to think about developping our own extension of the CAS server and CAS Client in order to do that and in order to follow our production rules ? Hoping what I am asking is understandable ! Thanks and Best Regards Damien -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
