Glad you found the paper useful. I agree with the post by Brian --- note that the assumption here is that you can point at the same LDAP, or you'll need a custom principal resolver.
To your questions.... In step 3, the Remote CAS requires a service ticket from the home CAS server (like any other application). There is a redirect to the home CAS server (on top of the initial redirect that was received from the remote domain CAS server). If not already logged in, the user must authenticate, at their home CAS server. They then get redirected back to the remote CAS server with a ST for the service...in this case that service is....the *remote* CAS server. The Apache server with mod_auth_cas validates the service ticket and sets the HTTP header REMOTE_USER. The remote CAS server is deployed with the "Trusted Authentication Handler" and the modified Spring Web Flow. This means that CAS login page is not presented. The presence of the REMOTE_USER header is sufficient to authenticate the user. In step 5, the clever insight is that the query string parameters that get added to the users requested URL as part of any redirect are nicely nested by CAS. (Think: push-down stack). This means that the first (remote) CAS server gets a request with the original application service, say, ?service=http://my.application.edu and then the CAS client protecting the second CAS server takes that URL and adds another parameter, say,&service=https://my.other.cas.edu/cas/login. The local CAS server deals with that most recent service parameter and issues a ticket for remote CAS server, and when that is all done, it returns the user back to (redirects the user) back to the first (remote) CAS, which then issues a ticket for the originally requested service, i.e. (?service=http://my.application.edu) Again, the query string request parameters are handled as a stack...push, push, pop, pop. Hope this helps. John -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
