I believe it would be helpful to carefully review the CAS protocol documents at http://www.jasig.org/cas/protocol. A solid understanding of the protocol will help put the following answers in better context.
> 1/ Is there a notion of session lifetime in CAS ? How it works ? Yes. The SSO session lifetime is controlled by the validity of the CAS ticket-granting ticket. > Is this time depending of user activity ? CAS supports several expiration policies out of the box, including sliding scale (default) and absolute. > I saw th class named org.jasig.cas.ticket.ExpirationPolicy, is it > native or do I have to implement something ? It's an interface that provides the expiration policy I mentioned above. Several policies are provided by default, but it's also an extension point for creating a custom one if the available ones don't meet your needs. > 2/ Does a user can authenticate itself anonymously, it means that he > could get a anonymous ticket that can be transform in a "user > authenticated" ticket when user is authenticated ? Tickets are _always_ associated with services. By default CAS allows any service to obtain a ticket provided their ticket-granting ticket is valid. CAS also supports whitelist authorization of services via the services management administration application, http://www.ja-sig.org/wiki/display/CASUM/Services+Management. > 3/ Does CAS support attributes requests ? CAS supports attribute release via the SAML 1.1 protocol. See http://www.ja-sig.org/wiki/display/CASUM/SAML+1.1 and http://www.ja-sig.org/wiki/display/CASUM/Attributes for more information. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
