Hi List: Thank you very much for all your help.
I have security/workflow questions that I am not sure if it is due to my beginner understanding of CAS. My understanding of CAS workflow, whereby user is authenticating to application via CAS, is as follows: 1 - User accesses protected page on application; application redirects user to CAS for authentication 2 - User successfully authenticates in CAS and is redirected back to application. 3 - The application calls CAS to retrieve the user's attributes (g.g. student number) For point 3 above, assuming my described flow is correct: A) Does the application , at point 3, call an API on CAS to retrieve the user's attributes? B) How does CAS prevent an unauthorized application, from spoofing a legitimate application, from using CAS for authentication? Thanks. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
