We have CAS behind a load balancer with the SSL termination and it's working well. The only two issues we've experienced:
In the CAS default views the CAS server "sees' the connections as unsecured so it displays a warning message that the CAS server isn't configured correctly. You need to just comment out the check and warning. If the servers can't browse the public alias then you can't use the public alias in cas.securityContext.ticketValidator.casServerUrlPrefix if you are going to use Service Management. On out servers we have this property set to localhost:8080 As marvin states, you need to absolutely certain no malicious users can possibly sniff the traffic between you load balancer and the CAS hosts. -Andrew On Nov 11, 2010, at 10:00 AM, Marvin Addison wrote: >> what should be the values of the following configuration properties? >> >> cas.properties >> >> cas.securityContext.serviceProperties.service >> cas.securityContext.casProcessingFilterEntryPoint.loginUrl >> cas.securityContext.ticketValidator.casServerUrlPrefix > > You probably want to point to the public alias, > https://public-host/sso, for the URLs above. On a related note, it is > far more important that you understand the consequences of > communicating from the content switch to the real CAS host in the > clear. The private network from the switch to CAS should be a > trusted, secure network. Frankly, I believe there are few of those. > But if you insist that it's trusted and secure, you will need to make > the following change in ticketGrantingTicketCookieGenerator.xml > (assumes latest CAS version 3.4.3.1): > > <bean id="ticketGrantingTicketCookieGenerator" > class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" > p:cookieSecure="false" > p:cookieMaxAge="-1" > p:cookieName="CASTGC" > p:cookiePath="/cas" /> > > The purpose is to set cookieSecure="false" since from perspective of > CAS the CASTGC SSO session cookie is delivered over plain HTTP. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
