> Does it mean that if all my applications accessible over HTTPS even on > different > domains SSO will work?
The CAS clients can be on any number of domains; but there's no way to scope the CAS SSO cookie to anything other than the domain where the CAS server lives. > I have network configuration, where I have firewall and balancer which > receives https:// but in internal network redirect via http. Do you think it > can be a problem or not? The only requirement is that the hosts _think_ they are over a secure channel. The definitive test is that http://download.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#isSecure%28%29 returns true for a Java application. I don't operate in this kind of environment, but I believe there are configuration knobs you can turn to make the host to believe it's secure even if the server connection handler isn't terminating SSL. > Is it possible in test mode switch off "secure" flag? Yes, see the SSL section of https://wiki.jasig.org/display/CASUM/Securing+Your+New+CAS+Server. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
