Hi All, Back with the the same question I asked earlier: is it possible to embed items in the payload (when an autheticated user visits a remore CAS server)? I want the remote server (with the childCAS) to know, by looking at the header or womewhere else (where?), that request consists of the user's Id and may be the URL of the parentCAS server. What are the keywords for this kind of scenario? Thanks for your attention, --- On Fri, 2012/2/3, [email protected] <[email protected]> wrote:
Hi Marvin, John Field, Brian, Andrew: How do I pique your interest? :) I got some idea from John's paper, and I have some questions. I could use REMOTE_USER header to sense that the user is coming from the parentCAS institution. Then If I could convince the childCAS to trust the parentCAS's authentication, I would be done. Would it work? How and why? Where do I start? I need to learn right from setting an environment (eclipse/tomcat/maven/spring) Well, that's what Google is for, but I still need a roadmap and I would like to ask some of the more experienced readers here to give some guidance. Some of the questions I have in mind: When an authenticated user from the parentCAS visits an URL which is childCAS-protected: what is the content of the request? Does the request have "I am so and so from so and so URL" information, besides probably a service ticket? If yes, then I could probably write a filter to allow the request from from the participating parentCAS institutions. I quoted names but of course, everyone is not only welcome, but also request to pitch in. Those people are some of the most frequest names that I came across in my previous posts. Cheers, --- On Wed, 2012/2/1, [email protected] <[email protected]> wrote: To Andrew and Brian: Believe me if it were not necessary, I would not have written such a long email. I do not have sufficient knowledge to create a pure hypothetical case and enjoy doing it. I am sorry, but I cannot divulge where I am trying to implement this solution. For an example, how about this scenario: Several huge ("mother") institutions participate in a project. The project maintains its own independent childCAS server/ authentication database because its users are not only (some of the) members of the mother institutions (with parentCAS), but also people who are not affiliated with any parentCAS instititions, like freelancers. Now these people at the parentCAS instititions do their thing in their home application servers, but sometimes they want to check something which is available ONLY in the project with childCAS. And they don't want to be bothered by another set of log in screens. The reverse is not desirable. People who are authenticated by the childCAS of the project cannot be given the privilege to access parentCAS protected apps running at the mother institutions. The mother institutions have way more and varied applications running under their parentCAS. Does it make sense? > or is this an artifact of where your initial investigations led? No. I had not understood what I needed to do in the beginning! Now, I know better :) Cheers. --- On Wed, 2012/2/1, b savage <[email protected]> wrote: Hi there, Just double-checking as this seems like a challenging case otherwise ... are the multiple CAS servers essential, or is this an artifact of where your initial investigations led? CAS can handle multiple domains without multiple CAS servers (and you could proceed on more travelled routes to handle some of your other requirements). Brian On Tue, Jan 31, 2012 at 2:34 PM, <[email protected]> wrote: Hi All, Someone please guide me to a possible solution. I struggled with a sample/simple helloworld application, that should tell you where do I stand on things CAS. Please explain in a few sentences what/how should I be implementing this. Situation: Two CAS servers, say parentCAS and childCAS, in two different domains, both can be accessed independently. If a user is authenticated in parentCAS and visits pages protected by the childCAS, the user should NOT be asked to log in again (at the childCAS.), allowing the user to go directly to the application in question. If the user has not been authenticated at the parentCAS and access the apps at the childCAS side, s/he will need to get authenticated by the childCAS. A successful authentication at the childCAS is not good enough for the applications that are protected by parentCAS. So it is one way trust. About the user repository, all the users in childCAS's user DB have accounts at the parentCAS's user DB, only that records are not exact carbon copy. Number of fields are different and I must consider cases like the same person using different names (say, "Christopher Gibins" in parentCAS side DB and "Chris Gibings"on the other. I have a little (theoretical) understanding of trust in multi-domain CAS, thanks to John Field's article and some help from Marvin, Brian and others. But this one, where do I start? I need keywords so that I can fine tune my search. This issue may have been raised and solved!? A side question to John: is it (always?) necessary to get the ultimate authentication at the local level in case of two different-domain CASes? In your article, you mention that even though the home CAS issues an ST for the "remote CAS application", the applications at the remote end trust validation only from their own local CAS. What I am getting at is this: Would it be necessary for the childCAS to eventually authenticate a request using its own user repository? Some kind of mapping to a local record once I am dead sure that the visitor has already been authenticated at the genuine parentCAS? If I could ask more, I wish to have a "solution approach", just like John's paper. Like if I need to write my own customPrincipalResolver.. where to start? What do I need? On this though, I will also do my own search (if it is "out" there). I came across a word "gateway". Would it solve my problem? (Andrew Petro's response to Jeremy). This one also should be googleable. How do I make sure that the childCAS trust the validation ONLY from the parentCAS? (In addition to a direct log in to the server of the childCAS) Would it be possible for a bogus "parentCAS" to access a childCAS-protected application and say, " I am your parentCAS, do let me in"? How do I prevent it? Sorry for a long question. Thank you for taking time to read. Cheers. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user-- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user-- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
