On Thu, May 12, 2011 at 5:34 AM, Jamie Johnson <[email protected]> wrote: > Thanks Bill. > > Let me give a few more details, because I still have questions. > > My JS application is in a widget container secured by CAS which I have no > control over. Each widget is an entirely separate web page. My web > application is currently not secured by CAS, but I could certainly add that > if it makes things easier. Essentially, the outer container provides the > CAS Auth. > > So all of that being said if I am reading your response correctly my JS > application would make a request to:
No exactly... :) Here's another take at it: The web app that is serving up the JS client must be protected by CAS. Getting the PGT is handled by the CAS client on the server side. Your server side code then uses the CAS Client to get a PT for OpenFire and embeds the PT in the JS Client which you then serve up to the browser. Once at the browser the JS client sends the PT to OpenFire. OpenFire validates the PT and gets the username from the CAS response. Bill > > https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=http://localhost/bling > > but how do I obtain the ticket from my JS code? > > assuming I have the ticket, this will give me the username. > > next I make a request to > > https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=http://localhost/bling&pgtUrl=https://foo.bar.com/pgtCallback > > which will result in a PGTIOU. > > The PGT will be delivered to https://foo.bar.com/pgtCallback. Using this I > make a request to > > https://foo.bar.com/is/cas/proxy?targetService=http://localhost/bongo&pgt=PGT-330-CSdUc5fCBz3g8KDDiSgO5osXfLMj9sRDAI0xDLg7jPn8gZaDqS > > The client will then have a PT. > > It feels like I am missing something because I hadn't expected so many steps > in order to be able to get the username and some token by which openfire > could say that a user had been authenticated by cas. Reading > http://www.jasig.org/cas/proxy-authentication the example of the email > client seems synonymous with what I'm trying to do, but I suppose that's > doing the same things just not providing the details since it says the > portal takes it's PGT and to get a PT which it then gives to the IMAP > server. > > If I have said something incorrectly or if there is something I am missing > please let me know. Any information is appreciated. > > > On Wed, May 11, 2011 at 9:05 PM, William G. Thompson, Jr. <[email protected]> > wrote: >> >> Assuming the web page that is serving up the chat client is protected >> with CAS... >> * after authN and before you server up the chat client, obtain a proxy >> ticket (PT) for openfire via the PGT >> * pass the PT to the chat client >> * the chat client sends the PT to openfire >> * CASified openfire (CASAuthProvider) validates the PT and gets back >> "valid ticket for username proxied thru chatclient" >> >> https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough >> >> Best, >> Bill >> >> On Wed, May 11, 2011 at 4:52 PM, Jamie Johnson <[email protected]> wrote: >> > My organization is currently using CAS to provide SSO and are also using >> > a >> > custom thin client chat application (developed using Strophe.js) to >> > communicate to an openfire server. We have now been asked to look at >> > making >> > the chat login also use SSO. I have googled a bit looking for solutions >> > and >> > the only thing I have found seems to point at writing a custom >> > AuthProvider >> > on the Openfire side and having the client pass the username and the >> > ticket >> > to openfire for authentication. I can see how in theory how this would >> > work >> > but I don't see how from the JavaScript side I can get access to the >> > username and ticket to use to verify the user has been authenticated in >> > CAS. Is there a way to do this from JavaScript? If not is there a more >> > appropriate way to attempt this? >> > >> > -- >> > You are currently subscribed to [email protected] as: >> > [email protected] >> > To unsubscribe, change settings or access archives, see >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
