2010/4/19 Marvin Addison <[email protected]>: > I believe it would be helpful to carefully review the CAS protocol > documents at http://www.jasig.org/cas/protocol. A solid understanding > of the protocol will help put the following answers in better context. >
Thank you Marvin for your answers. I am reading the protocol. > >> 1/ Is there a notion of session lifetime in CAS ? How it works ? > > Yes. The SSO session lifetime is controlled by the validity of the > CAS ticket-granting ticket. > Does It mean that the validity is into the cookie ? > >> Is this time depending of user activity ? > > CAS supports several expiration policies out of the box, including > sliding scale (default) and absolute. > OK. If I understand well, does a service request the server to validate the user ticket-granting cookie, for each user requests ? During this process, I suppose that session lifetime is updated, doesn't it ? > >> I saw th class named org.jasig.cas.ticket.ExpirationPolicy, is it >> native or do I have to implement something ? > > It's an interface that provides the expiration policy I mentioned > above. Several policies are provided by default, but it's also an > extension point for creating a custom one if the available ones don't > meet your needs. > >> 2/ Does a user can authenticate itself anonymously, it means that he >> could get a anonymous ticket that can be transform in a "user >> authenticated" ticket when user is authenticated ? > > Tickets are _always_ associated with services. By default CAS allows > any service to obtain a ticket provided their ticket-granting ticket > is valid. CAS also supports whitelist authorization of services via > the services management administration application, > http://www.ja-sig.org/wiki/display/CASUM/Services+Management. > My use case is to allow a anonymous user (not authenticated on the server) to have a unique identifier for all services. An identity could be associated to this identifier then. The idea is to let the CAS server manages this unique identifier associated the session. In fact, this will allow us to know that a unique anonymous user went to application A from application B for example (both using CAS). it could be implemented by a anonymous URI on server, such as "/anonymous". > >> 3/ Does CAS support attributes requests ? > > CAS supports attribute release via the SAML 1.1 protocol. See > http://www.ja-sig.org/wiki/display/CASUM/SAML+1.1 and > http://www.ja-sig.org/wiki/display/CASUM/Attributes for more > information. > Great. My service should use the ticket-granting ticket to retrieve different informations about the user ? Thomas. -- Thomas Chemineau -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
