Hi, You need to understand the difference between TGT and ST (like PGT versus PT) : - TGT / PGT : SSO identity (global) - ST / PT : one access to one application (local).
So it wouldn't make any sense to be able to get a PGT against a ST (at service ticket validation). It would mean that you can exchange a "local security level" with a "global security level" without doing anything. The proxy support requires one more proof. The PGTIOU and PGT are sent directly to the application (the "one more proof") and the PGTIOU and user identity are returned through service ticket validation. With both informations, you can make the PGT correspond to the user identity : PGT,PGTIOU <-> PGTIOU,user identity. Best regards, Jérôme -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
