I'm not sure I understand the question. I think you're contemplating have two CAS server instances, in multiple domains, with applications validating service tickets against a different CAS server instance than the one users interact with in obtaining these tickets. And then the idea is that this will work because the two CAS server instances are sharing ticket registry state via a shared database.
Am I understanding the proposed solution? (Roughly, knee-jerk reaction is: "Don't do that." CAS is meant to be a central authentication service. Put it somewhere where users can use its UI to log in, and services making use of it can access its informal web services to validate service tickets, and it will simply work.) Andrew On 8/9/2011 12:01 AM, Glenn Mason wrote: > I need help with sharing TGT cookie for single sign on across multiple > domains. > > We would like to have CAS sit in the DMZ requiring users to > authenticate prior to being reverse proxied to the application on the > internal network. The internal application uses a CAS authentication > filter. > > The plan is for CAS in the DMZ to write a ticket to a shared JDBC > Ticket Registry. When the user is proxied to the internal application, > the CASTGC cookie (TGT) ticket would be used for authentication. This > should allow the user to access the internal application as the CASTGC > cookie show the user has already authenticated. > > Currently we are running into problems with sharing the CASTGC cookie > across multiple domains. The DMZ CASTGC cookie shows with domain of > xyz.com <http://xyz.com>. As this is a different domain to the > internal CAS the CASTGC cookie is not used. > > We have tested using FireCookie to change the domain from the DMZ > domain to the internal domain and this logs in successfully. > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
