> · CAS authenticates and calls back the app with the authenticated > ticket.
CAS doesn't make callbacks during authentication. The _client_ contacts CAS with the ticket to validate it. The ticket is delivered to the client via a redirect using the URL that was in the service parameter of the redirect to CAS. Is that what you're describing? > · So I think, no problem… I’ll add self-signed certificates to each > node and pass the node’s hostname and port in the callback so that CAS will > make the callback to the right node. But this is when I get “Authentication > Failed: ticket 'ST-2-aQJM2bMCvJfcfj4M6hhR-cas' not recognized”. The service that validates the ticket must be the same as the one that initially requested the ticket. Based on your configuration, you're using the virtual hostname to obtain the ticket and the real hostname to validate it, which is not allowed by the server. We have significant experience in HA setups here at Virginia Tech, and the only consideration we've found necessary for clustered clients is load balancer session affinity. Since the initial request to the client application and subsequent ticket delivery from CAS have the same source, the client's browser, session affinity guarantees that the same client node is accessed consistently. The ticket validation step is tricker in clustered CAS server setups since the validation has a different source, the actual service, than the ticket request. In your case, however, it's a non-issue since the server is effectively a single node. If you ever decide to move to an active-active setup, you'll need to use a ticket registry suitable for access by multiple nodes such as the JpaTicketRegistry or JBossCacheTicketRegistry. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
