Hi David, Thanks for the info. Just one more question . Now I am assuming each application will have its own PGT stored somewhere before getting a PT. That PGT+PGT-IOU is sent by CAS server via the apps callback URL.
Is it like the app can use this pgt to get a PT for any backend service ? Or Is it like for each back end service a PGT is required ? Thanks, Sushant. On 19-Jun-2013 11:43 PM, "Ohsie, David" <[email protected]> wrote: > Let's see if this can help:**** > > ** ** > > 1) The CAS client wants to request a PGT while it is validating the ST.*** > * > > ** ** > > 2) However, CAS server doesn't want to return the PGT to the service, > because it doesn’t really know the identify of the service it is handing > the PGT to. The ST might have ended up in the wrong hands somehow. So > CAS doesn't want to give back a PGT as part of response to the > serviceValidate call.**** > > ** ** > > 3) Instead CAS does two things:**** > > ** ** > > a) CAS calls back the client at the PGT URL using https. Since CAS can > validate the cert that the service presents, CAS has some assurance of the > identity of the service that it handed the PGT to. To help with the next > step, it also generates a PGTIOU and sends that as well. The CAS client > will store this PGT, PGTIOU pair in some data store. for the next step.*** > * > > ** ** > > b) CAS does return from the serviceValidate, but instead of sending the > PGT value, it sends the PGTIOU. The client will can look into the > datastore described in a) to get the PGT.**** > > ** ** > > So the bottom line is that instead of returning the PGT during > "serviceValidate", CAS calls back to the client at a different URI and > sends the PGT, PGTIOU pair. It then returns the PGTIOU in the > serviceValidate response. In this way, the client does get the PGT, but > only if it is able to receive the call from CAS over https.**** > > ** ** > > David Ohsie**** > > Software Architect**** > > EMC Corporation**** > > ** ** > > *From:* susantra m [mailto:[email protected]] > *Sent:* Wednesday, June 19, 2013 9:55 AM > *To:* [email protected] > *Subject:* [cas-user] Understanding PGTIOU**** > > ** ** > > ** ** > > Hi Experts ,**** > > I am new to CAS .**** > > After going through the cas proxy documents and Walkthroughs , i could > understand the use of a PGT and PT . But i am still very confused about > the PGTIOU . > > **** > > My understanding is to connect to any backend service , the user > requests for a PGT using a ST and once the PGT is available he can > generate PTs further .**** > > I am a bit confused why the cas server sends PGTIOU , and if if it sends > where from the callback URL gets the PGT . More specifically the bold > lines below . > > > *"A request is sent for a PGT through /serviceValidate or /proxyValidate > URI. CAS server can't give PGT back in its response, because its not > convinced of the requestor identity. If the requestor identity is the > correct identity, then CAS says "IOU (I Owe You) a PGT" and sends PGTIOU. The > requestor, having received a PGTIOU in the CAS response, and both a PGT and > a PGTIOU from the proxy callback which was given as value of pgturl > parameter when request is sent, will use the proxy-granting ticket IOU to > correlate the proxy-granting ticket with the validation response. The > requestor will then use the proxy-granting ticket for the acquisition of > proxy tickets, if the requestor is the correct identity. "* > > > **** > > Thanks in Advance .**** > > Sushant.**** > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user**** > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
