Hi there, Just double-checking as this seems like a challenging case otherwise ... are the multiple CAS servers essential, or is this an artifact of where your initial investigations led? CAS can handle multiple domains without multiple CAS servers (and you could proceed on more travelled routes to handle some of your other requirements).
Brian On Tue, Jan 31, 2012 at 2:34 PM, <[email protected]> wrote: > Hi All, > Someone please guide me to a possible solution. I struggled with a > sample/simple helloworld application, that should tell you where do I stand > on things CAS. Please explain in a few sentences what/how should I be > implementing this. > > Situation: > Two CAS servers, say parentCAS and childCAS, in two different domains, > both can be accessed independently. If a user is authenticated in parentCAS > and visits pages protected by the childCAS, the user should NOT be asked to > log in again (at the childCAS.), allowing the user to go directly to the > application in question. If the user has not been authenticated at the > parentCAS and access the apps at the childCAS side, s/he will need to get > authenticated by the childCAS. > > A successful authentication at the childCAS is not good enough for the > applications that are protected by parentCAS. So it is one way trust. About > the user repository, all the users in childCAS's user DB have accounts at > the parentCAS's user DB, only that records are not exact carbon copy. > Number of fields are different and I must consider cases like the same > person using different names (say, "Christopher Gibins" in parentCAS side > DB and "Chris Gibings"on the other. > > I have a little (theoretical) understanding of trust in multi-domain CAS, > thanks to John Field's article and some help from Marvin, Brian and others. > But this one, where do I start? I need keywords so that I can fine tune my > search. This issue may have been raised and solved!? > > A side question to John: is it (always?) necessary to get the ultimate > authentication at the local level in case of two different-domain CASes? In > your article, you mention that even though the home CAS issues an ST for > the "remote CAS application", the applications at the remote end trust > validation only from their own local CAS. What I am getting at is this: > Would it be necessary for the childCAS to eventually authenticate a > request using its own user repository? Some kind of mapping to a local > record once I am dead sure that the visitor has already been authenticated > at the genuine parentCAS? > > If I could ask more, I wish to have a "solution approach", just like > John's paper. Like if I need to write my own customPrincipalResolver.. > where to start? What do I need? On this though, I will also do my own > search (if it is "out" there). > > I came across a word "gateway". Would it solve my problem? (Andrew Petro's > response to Jeremy). This one also should be googleable. > > How do I make sure that the childCAS trust the validation ONLY from the > parentCAS? (In addition to a direct log in to the server of the childCAS) > Would it be possible for a bogus "parentCAS" to access a childCAS-protected > application and say, " I am your parentCAS, do let me in"? How do I prevent > it? > > Sorry for a long question. > > Thank you for taking time to read. > > Cheers. > > > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
