Hi All,
Someone please guide me to a possible solution. I struggled with a
sample/simple helloworld application, that should tell you where do I stand on
things CAS. Please explain in a few sentences what/how should I be implementing
this.
Situation:
Two CAS servers, say parentCAS and childCAS, in two different domains, both can
be accessed independently. If a user is authenticated in parentCAS and visits
pages protected by the childCAS, the user should NOT be asked to log in again
(at the childCAS.), allowing the user to go directly to the application in
question. If the user has not been authenticated at the parentCAS and access
the apps at the childCAS side, s/he will need to get authenticated by the
childCAS.
A successful authentication at the childCAS is not good enough for the
applications that are protected by parentCAS. So it is one way trust. About the
user repository, all the users in childCAS's user DB have accounts at the
parentCAS's user DB, only that records are not exact carbon copy. Number of
fields are different and I must consider cases like the same person using
different names (say, "Christopher Gibins" in parentCAS side DB and "Chris
Gibings"on the other.
I have a little (theoretical) understanding of trust in multi-domain CAS,
thanks to John Field's article and some help from Marvin, Brian and others. But
this one, where do I start? I need keywords so that I can fine tune my search.
This issue may have been raised and solved!?
A side question to John: is it (always?) necessary to get the ultimate
authentication at the local level in case of two different-domain CASes? In
your article, you mention that even though the home CAS issues an ST for the
"remote CAS application", the applications at the remote end trust validation
only from their own local CAS. What I am getting at is this: Would it be
necessary for the childCAS to eventually authenticate a request using its own
user repository? Some kind of mapping to a local record once I am dead sure
that the visitor has already been authenticated at the genuine parentCAS?
If I could ask more, I wish to have a "solution approach", just like John's
paper. Like if I need to write my own customPrincipalResolver.. where to start?
What do I need? On this though, I will also do my own search (if it is "out"
there).
I came across a word "gateway". Would it solve my problem? (Andrew Petro's
response to Jeremy). This one also should be googleable.
How do I make sure that the childCAS trust the validation ONLY from the
parentCAS? (In addition to a direct log in to the server of the childCAS) Would
it be possible for a bogus "parentCAS" to access a childCAS-protected
application and say, " I am your parentCAS, do let me in"? How do I prevent it?
Sorry for a long question.
Thank you for taking time to read.
Cheers.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
