If you presented the TGT to any entity other than the CAS server, that entity could then use that TGT to access the CAS server in the name of the user, obtaining STs as the user. Thus any entity presented with the TGT becomes a potential illicit proxy.
STs are very-short-lived application-specific one-time-use password replacements. Appropriately vending and redeeming them is post of the point of a CAS server. :) On Thu, Mar 7, 2013 at 9:42 AM, Modi Tamam <[email protected]> wrote: > Hi, > I'm trying to figure out the purpose of the service ticket. > I mean, why wouldn't I validate the TGT against each service > that I want to intercat with, what is the added value of the ST? > > -- > Best Regards > Mordechai Tamam > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
