To Andrew and Brian:
Believe me if it were not necessary, I would not have written such a long
email. I do not have sufficient knowledge to create a pure hypothetical case
and enjoy doing it.
I am sorry, but I cannot divulge where I am trying to implement this solution.
For an example, how about this scenario:
Several huge ("mother") institutions participate in a project. The project
maintains its own independent childCAS server/ authentication database because
its users are not only (some of the) members of the mother institutions (with
parentCAS), but also people who are not affiliated with any parentCAS
instititions, like freelancers. Now these people at the parentCAS instititions
do their thing in their home application servers, but sometimes they want to
check something which is available ONLY in the project with childCAS. And they
don't want to be bothered by another set of log in screens. The reverse is not
desirable. People who are authenticated by the childCAS of the project cannot
be given the privilege to access parentCAS protected apps running at the mother
institutions. The mother institutions have way more and varied applications
running under their parentCAS.
Does it make sense?
> or is this an artifact of where your initial investigations led?
No.
I had not understood what I needed to do in the beginning! Now, I know better :)
Cheers.
--- On Wed, 2012/2/1, b savage <[email protected]> wrote:
Hi there,
Just double-checking as this seems like a challenging case otherwise ...
are the multiple CAS servers essential, or is this an artifact of where your
initial investigations led? CAS can handle multiple domains without multiple
CAS servers (and you could proceed on more travelled routes to handle some of
your other requirements).
Brian
On Tue, Jan 31, 2012 at 2:34 PM, <[email protected]> wrote:
Hi All,
Someone please guide me to a possible solution. I struggled with a
sample/simple helloworld application, that should tell you where do I stand on
things CAS. Please explain in a few sentences what/how should I be implementing
this.
Situation:
Two CAS servers, say parentCAS and childCAS, in two different domains, both can
be accessed independently. If a user is authenticated in parentCAS and visits
pages protected by the childCAS, the user should NOT be asked to log in again
(at the childCAS.), allowing the user to go directly to the application in
question. If the user has not been authenticated at the parentCAS and access
the apps at the childCAS side, s/he will need to get authenticated by the
childCAS.
A successful authentication at the childCAS is not good enough for the
applications that are protected by parentCAS. So it is one way trust. About the
user repository, all the users in childCAS's user DB have accounts at the
parentCAS's user DB, only that records are not exact carbon copy. Number of
fields are different and I must consider cases like the same person using
different names (say, "Christopher Gibins" in parentCAS side DB and "Chris
Gibings"on the other.
I have a little (theoretical) understanding of trust in multi-domain CAS,
thanks to John Field's article and some help from Marvin, Brian and others. But
this one, where do I start? I need keywords so that I can fine tune my search.
This issue may have been raised and solved!?
A side question to John: is it (always?) necessary to get the ultimate
authentication at the local level in case of two different-domain CASes? In
your article, you mention that even though the home CAS issues an ST for the
"remote CAS application", the applications at the remote end trust validation
only from their own local CAS. What I am getting at is this: Would it be
necessary for the childCAS to eventually authenticate a request using its own
user repository? Some kind of mapping to a local record once I am dead sure
that the visitor has already been authenticated at the genuine parentCAS?
If I could ask more, I wish to have a "solution approach", just like John's
paper. Like if I need to write my own customPrincipalResolver.. where to start?
What do I need? On this though, I will also do my own search (if it is "out"
there).
I came across a word "gateway". Would it solve my problem? (Andrew Petro's
response to Jeremy). This one also should be googleable.
How do I make sure that the childCAS trust the validation ONLY from the
parentCAS? (In addition to a direct log in to the server of the childCAS) Would
it be possible for a bogus "parentCAS" to access a childCAS-protected
application and say, " I am your parentCAS, do let me in"? How do I prevent it?
Sorry for a long question.
Thank you for taking time to read.
Cheers.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
