On Wed, Feb 15, 2012 at 5:34 PM, Jon Detert <[email protected]> wrote: > Hello, > > I have a single CAS server v3.4.11 and a handful of clients (mostly apache > mod_auth_cas v1.0.8; some CAS [java] Client; and phpCAS). > > The CAS server v3.4.11 is using a default configuration. > > I _think_ this is how it works. Please confirm/correct : > > 1) does the default CAS server configuration support 'single sign on'?
Yes, assuming https. > > 2) the first time a browser sucessfully authenticates with the CAS server, > the server creates a TGT for the user, and sends it to the browser. The > browser can use that TGT thereafter to authenticate to any other service > using the CAS client until the TGT expires or the browser destroys it's copy > of the TGT. Is that correct? Sort of. What is sent to the browser is the TGT ID, the TGT is kept on the CAS server. The user's browser can present the TGT Id (cookie) later to CAS as proof of prior primary authentication. TGT is only used to authN with CAS. Services only ever get Service Tickets (and Proxy Tickets). > > 3) where does the CAS server store the valid TGT information? In the Ticket Regsitry. Could be in memory, in a distributed cache like Ehcache, or in a RDMBS. > > 4) the bean id="grantingTicketExpirationPolicy" (defined by default in the > spring-configuration/ticketExpirationPolicies.xml file) is the amount of time > which the TGT can go unused before it expires. Is that correct? Yes, for the TimeoutExpirationPolicy, where 'unused" means hasn't vended a Service Ticket. You might want to look at the TicketGrantingTicketExpirationPolicy which provides sliding window and a hardtime out. This one is set to be the default in 3.5 > > 5) when does a browser re-use the TGT? Every time it needs a new Service > Ticket, or only when the TGT expires? The browser send the TGT cookie to the CAS server each time it visits the CAS server. It is "used" in terms of the expiration policies whenever a Service Ticket is vended based on it. > > 6) when does a browser need a Service Ticket? For every cas-protected URL it > visits? Every time it needs to access projected web app. The web app can then sent up it's own session. > > 7) a Service Ticket expires by default in 5 minutes (defined in the web.xml). > Is that correct? No. STs are set to expire in 10s as defined in the ticketExpirationPolicies.xml > > Thanks much, Good luck! This might also help: http://www.youtube.com/watch?v=Ik_11Y17ASg Bill > > Jon > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
