Understood. I'll describe my use cases. Some of my clients use browsers and some are not.means that the non- browser clients workflow will be as follow:
1. Obtain a TGT 2. Obtain a ST 3. Validate the ST (https:<my-service>?ticket=<my ticket>) 4. Interact with <my-service> My question is, what is the added value (from a security point of view) of the ST? (I mean, the client is allready aware to the TGT) On Thu, Mar 7, 2013 at 5:01 PM, Andrew Petro <[email protected]> wrote: > If you presented the TGT to any entity other than the CAS server, that > entity could then use that TGT to access the CAS server in the name of the > user, obtaining STs as the user. Thus any entity presented with the TGT > becomes a potential illicit proxy. > > STs are very-short-lived application-specific one-time-use password > replacements. Appropriately vending and redeeming them is post of the > point of a CAS server. :) > > > On Thu, Mar 7, 2013 at 9:42 AM, Modi Tamam <[email protected]> wrote: > >> Hi, >> I'm trying to figure out the purpose of the service ticket. >> I mean, why wouldn't I validate the TGT against each service >> that I want to intercat with, what is the added value of the ST? >> >> -- >> Best Regards >> Mordechai Tamam >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Best Regards Mordechai Tamam -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
