OK. I've read up on CAS proxying. I see how that would normally work, but I don't see anything about proxying included in the CAS REST API<https://wiki.jasig.org/display/CASUM/RESTful+API> doc. Is it possible to get PGTs, PGTIOUs, and PTs with REST calls?
From: Scott Battaglia [mailto:[email protected]] Sent: Tuesday, March 29, 2011 11:40 AM To: [email protected] Cc: Eric Turley; Debbie Rinkevich Subject: Re: [cas-user] SSO and CAS ReST API setup Importance: High Essentially you're not allowed to share TGTs. We can try and guide you a bit more with some more details. I.e. traditionally, webapp would CAS authenticate, and get a PGT. It would then generate a PT for Client 1. Client 1 would receive a PT from webapp Cheers, Scott On Tue, Mar 29, 2011 at 12:17 PM, Eric Turley <[email protected]<mailto:[email protected]>> wrote: I've seen the proxy documentation on the wiki and cas homepage, but haven't read it (was hoping I wouldn't need to). So unless there are documents OTHER than those, I'll just dig in and get back to you if necessary. From: Scott Battaglia [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, March 29, 2011 11:10 AM To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] SSO and CAS ReST API setup Importance: High If you want a web application to access other services on behalf of the user then you should be using CAS's proxy authentication methods. Are you familiar with those at all? If not, I can find the appropriate documents. Cheers, Scott On Tue, Mar 29, 2011 at 12:05 PM, Eric Turley <[email protected]<mailto:[email protected]>> wrote: Sorry, I'm not understanding clearly what you're saying. (Or, possibly, I'm not properly explaining what I'm trying to say) More concretely, the two Clients in my "diagram" are both using ReST calls to the Webapp. So neither is actually a browser. I'm not sure if that was a misunderstanding. Does that change anything? And, tho you don't support it, can the Webapp get the TGT and pass it around to Clients to be re-used for authentication without the user having to provide credentials again? (Or do you mean to say, "We don't support this; you're on your own"? Which is perfectly valid, just asking.) From: Scott Battaglia [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, March 28, 2011 8:46 PM To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] SSO and CAS ReST API setup Importance: High The CAS Restful API does not support User-Agent (i.e. browser) single sign on. We do not support another application passing credentials to the CAS server. On Mon, Mar 28, 2011 at 10:50 AM, Eric Turley <[email protected]<mailto:[email protected]>> wrote: I want to use the CAS ReST API in a way that supports SSO. The setup we have is not ideal, but I want to try to support it as is for the moment. Our scenario is as follows: 1. Client1 makes an authz call (including username/password credentials) to Webapp, which makes an auth ReST call to CAS (http://localhost:9010/cas/v1/tickets), acquiring the TGT. 2. I'd like Client1 to pass the TGT to Client2 so it can ... 3. Client2 makes ReST calls to the WebApp (for whatever it needs), passing the TGT. Internally, Webapp will use that to authenticate Client2 with CAS. +---+ |CAS| +---+------+------+ |WebApp| '------+ 1 Auth/ \3 Auth / \w/TGT / -> \ +-------+ 2 Pass TGT +-------+ |Client1|------------|Client2| +-------+ +-------+ I'm really pretty confused about CAS, so likely, I'm going about this all wrong. Please advise. :) (Tho, I'm limited by the public API in use by the WebApp clients.) Eric Turley | Sr. Platform Engineer | UTV Ignition Games -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
