Understood. In my case, the SSO clients (AKA, services) are internal products (deployed on different machines in the organization) and I'm not bothered by the fact they are exposed to the TGT.
Do you think that I miss something?I mean, I'm just interested with a SSO solution and the ST seems to be an extra feature. BR On Thu, Mar 7, 2013 at 5:40 PM, Andrew Petro <[email protected]> wrote: > Sure. The non-browser client is adopting the role of browser in the CAS > protocol. It touches the TGT. > > Still, by using the TGT to obtain an ST, your "<my-service>" doesn't get > to see the TGT, only a short-lived one-time-use ST. This is better than > the service itself touching the TGT, which it could then use as an illicit > proxy. > > All that said, I'd readily agree that CAS has less to offer non-browser > clients and that you might well consider other options. The non-browser > client is presumably a custom application that can do smarter, more > sophisticated things than can a web browser. As in, participate in OAuth, > or validate credentials to pull down a certificate and use TLS to > authenticate to the services it accesses on the user's behalf, or... > > Andrew > > > On Thu, Mar 7, 2013 at 10:28 AM, Modi Tamam <[email protected]> wrote: > >> Understood. >> I'll describe my use cases. >> Some of my clients use browsers and some are not.means that the non- >> browser clients workflow will be as follow: >> >> 1. Obtain a TGT >> 2. Obtain a ST >> 3. Validate the ST (https:<my-service>?ticket=<my ticket>) >> 4. Interact with <my-service> >> >> My question is, what is the added value (from a security point of view) >> of the ST? (I mean, the client is allready aware to the TGT) >> >> >> On Thu, Mar 7, 2013 at 5:01 PM, Andrew Petro <[email protected]> wrote: >> >>> If you presented the TGT to any entity other than the CAS server, that >>> entity could then use that TGT to access the CAS server in the name of the >>> user, obtaining STs as the user. Thus any entity presented with the TGT >>> becomes a potential illicit proxy. >>> >>> STs are very-short-lived application-specific one-time-use password >>> replacements. Appropriately vending and redeeming them is post of the >>> point of a CAS server. :) >>> >>> >>> On Thu, Mar 7, 2013 at 9:42 AM, Modi Tamam <[email protected]> wrote: >>> >>>> Hi, >>>> I'm trying to figure out the purpose of the service ticket. >>>> I mean, why wouldn't I validate the TGT against each service >>>> that I want to intercat with, what is the added value of the ST? >>>> >>>> -- >>>> Best Regards >>>> Mordechai Tamam >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> >> >> -- >> Best Regards >> Mordechai Tamam >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Best Regards Mordechai Tamam -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
