I thought I was in wrong forum, so I jumped the ship :)
(Marvin, please comment here when you can. Thanks.)
//------------------------------
I was trying to learn how to trust a remote CAS server's authentication so that
once authenticated through a local CAS, the user does not need to see that
log-in screen again.
Then I found J. Field's excellent paper and read it and I understood it a
little better. (I have yet to do the implementation.)
But I do not still have a clear picture what happens at the non-local (remote)
CAS server. Let me explain below what I learnt from Field's article.
1. A locally authenticated user accesses a remote, CAS-protected application.
2. Remote application checks with remote CAS.
3. Remote CAS has an Apache front end with mod_auth_cas set up, and there is
something in the URL header ("REMOTE"?) that makes the remote CAS forward the
request to the origin, that is, the remote CAS asks the local CAS for a ticket.
4. Local CAS issues a service ticket (ST) to remote CAS. The key here is to
treat remote CAS server as an application. So for the local CAS, it is just
like issuing an ST for an "application".
5. Upon seeing that the request has an ST, the remote CAS then issues a ticket
granting cookie (TGC), which is returned to the browser, and also issues an ST
good for remote application.
6. Remote application is happy because for it, the authentication came form the
their "local" CAS, in which they trust. Hence, SSO is realized (no second log
in necessary.)
Question:
At no. 5 above, how does the remote CAS know how to trust the visitor? The
visitor only has an ST (not for any particular application, but for "remote CAS
application" as a whole), and perhaps user ID? Validation against the remote
database should not be possible because the request string does not contain
password.
Or the remote location's user repository won't be consulted at all in this
scheme?
What are the necessary and sufficient conditons for the remote CAS to issue ST
and TGC for visitors who are authenticated at other location(s)?
(In my case, both the local and the remote domains have exact same copy of user
repository.)
Thank you for taking time to read and for your comments.
Cheers.
//-----
J. Field's article:
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CBsQFjAA&url=https%3A%2F%2Fwiki.jasig.org%2Fdownload%2Fattachments%2F48596744%2FHow%2Bto%2BTrust%2BAnother%2BCAS%2BServer.pdf%3Fversion%3D1%26modificationDate%3D1321479461428&ei=0e7cTtiqGOKHmQXd4OnTCw&usg=AFQjCNH5FlhDZHU_oHBOCj-rg_WtLMT4IA
or you can google for "How to Trust Another CAS Server"
--o0o--
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
