Again, I think I answered my own question. It seems that SSO only works for SSL connections and that the cookie is not sent over a non-SSL connection (firesheep?).
It looks like this is documented here: https://wiki.jasig.org/display/CASUM/Securing+Your+New+CAS+Server "By default, CAS only sends the single sign on cookie (CASTGC) over secure connections" Also, Marvin Addison said something similar here: https://lists.wisc.edu/read/messages?id=14246778 "Single sign-on is disabled for http URLs by default." It does look like this can be disabled, but should only be done so in test or development environments; which I agree. If all of this is correct I would highly recommend updating this wiki page then: https://wiki.jasig.org/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+using+JNDI It shows a non-SSL URL for serverName while the other two are SSL URLs. This was the page that made me originally think it was possible. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
