Here's a potential work-around for an application that needs the PGT to last as long as the application session lasts (both steps are required):
1. TGT-keep-alive: implemented a URL that keeps no state, but requires a ST. Then have the application periodically force the browser user-agent to view this URL (perhaps via a hidden frame), thus implementing a TGT-keep-alive (for as long as the TGT can live, CAS3.5 default config implements a max time to live, as well as the idle session timeout). 2. PGT-keep-alive: same as #1, except the app has to make the back-channel calls to the URL for new PTs to keep the PGT alive. Here's a potential (partial?) fix: Seems to me that CAS3 goes too far in modeling PGT as TGT in that it causes the PGT to be somewhat disconnected from the use case. If the TGT is still valid, then perhaps the PGT should still be valid as well, and not have an independent time-out. This would at least cover the case where the user is logged in to the app and still has valid TGT session, but hasn't exercised the PGT frequently enough (causing it to timeout). So a proposal might be to have the PGT timeout be directly tied to the TGT timeout rather than being independent. cc'ing cas-dev for further discussion. It is also interesting to think of TGT-keep-alive functionality baked into the CAS client directly...so that as long as there is an active application session, the CAS client could periodically inform the CAS server that the TGT should remain valid (at least as long as the max time to live) even if no STs have been requested. Basically creating a standard mechanism to step 1. from above. Best, Bill On Wed, Nov 28, 2012 at 3:14 AM, Olivier <[email protected]> wrote: > As you know (from another thread), it's exactly my use case. I am really > looking forward to read your thoughts :-). We bumped the ticket granting > expiration to 12 hours... which doesn't satisfy me as CISO, but that's the > least worst solution for now. > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
