Hi, I'm left wondering: up a layer of abstraction, why is this parent-child relationship desirable and necessary? What user stories are driving this?
What are you really trying to do? That might be another interesting conversation. Not that I'm not sorely tempted to jump into thinking about the nitty gritty of accomplishing this parent-child relationship. Andrew On Jan 31, 2012, at 2:34 PM, [email protected] wrote: > Hi All, > Someone please guide me to a possible solution. I struggled with a > sample/simple helloworld application, that should tell you where do I stand > on things CAS. Please explain in a few sentences what/how should I be > implementing this. > > Situation: > Two CAS servers, say parentCAS and childCAS, in two different domains, both > can be accessed independently. If a user is authenticated in parentCAS and > visits pages protected by the childCAS, the user should NOT be asked to log > in again (at the childCAS.), allowing the user to go directly to the > application in question. If the user has not been authenticated at the > parentCAS and access the apps at the childCAS side, s/he will need to get > authenticated by the childCAS. > > A successful authentication at the childCAS is not good enough for the > applications that are protected by parentCAS. So it is one way trust. About > the user repository, all the users in childCAS's user DB have accounts at the > parentCAS's user DB, only that records are not exact carbon copy. Number of > fields are different and I must consider cases like the same person using > different names (say, "Christopher Gibins" in parentCAS side DB and "Chris > Gibings"on the other. > > I have a little (theoretical) understanding of trust in multi-domain CAS, > thanks to John Field's article and some help from Marvin, Brian and others. > But this one, where do I start? I need keywords so that I can fine tune my > search. This issue may have been raised and solved!? > > A side question to John: is it (always?) necessary to get the ultimate > authentication at the local level in case of two different-domain CASes? In > your article, you mention that even though the home CAS issues an ST for the > "remote CAS application", the applications at the remote end trust validation > only from their own local CAS. What I am getting at is this: Would it be > necessary for the childCAS to eventually authenticate a request using its own > user repository? Some kind of mapping to a local record once I am dead sure > that the visitor has already been authenticated at the genuine parentCAS? > > If I could ask more, I wish to have a "solution approach", just like John's > paper. Like if I need to write my own customPrincipalResolver.. where to > start? What do I need? On this though, I will also do my own search (if it is > "out" there). > > I came across a word "gateway". Would it solve my problem? (Andrew Petro's > response to Jeremy). This one also should be googleable. > > How do I make sure that the childCAS trust the validation ONLY from the > parentCAS? (In addition to a direct log in to the server of the childCAS) > Would it be possible for a bogus "parentCAS" to access a childCAS-protected > application and say, " I am your parentCAS, do let me in"? How do I prevent > it? > > Sorry for a long question. > > Thank you for taking time to read. > > Cheers. > > > > > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
