Hi David, Thanks for the info. Just one more question . Now I am assuming each application will have its own PGT stored somewhere before getting a PT. That PGT+PGT-IOU is sent by CAS server via the apps callback URL.
Is it like the app can use this pgt to get a PT for any backend service ? Or Is it like for each back end service a PGT is required ? [DO] The PGT is obtained one time when the original ST is validated. That one PGT is used to aquire a many PT's: one PT for each service the application is trying to access. Thanks, Sushant. On 19-Jun-2013 11:43 PM, "Ohsie, David" <[email protected]> wrote: Let's see if this can help: 1) The CAS client wants to request a PGT while it is validating the ST. 2) However, CAS server doesn't want to return the PGT to the service, because it doesn't really know the identify of the service it is handing the PGT to. The ST might have ended up in the wrong hands somehow. So CAS doesn't want to give back a PGT as part of response to the serviceValidate call. 3) Instead CAS does two things: a) CAS calls back the client at the PGT URL using https. Since CAS can validate the cert that the service presents, CAS has some assurance of the identity of the service that it handed the PGT to. To help with the next step, it also generates a PGTIOU and sends that as well. The CAS client will store this PGT, PGTIOU pair in some data store. for the next step. b) CAS does return from the serviceValidate, but instead of sending the PGT value, it sends the PGTIOU. The client will can look into the datastore described in a) to get the PGT. So the bottom line is that instead of returning the PGT during "serviceValidate", CAS calls back to the client at a different URI and sends the PGT, PGTIOU pair. It then returns the PGTIOU in the serviceValidate response. In this way, the client does get the PGT, but only if it is able to receive the call from CAS over https. David Ohsie Software Architect EMC Corporation From: susantra m [mailto:[email protected]] Sent: Wednesday, June 19, 2013 9:55 AM To: [email protected] Subject: [cas-user] Understanding PGTIOU Hi Experts , I am new to CAS . After going through the cas proxy documents and Walkthroughs , i could understand the use of a PGT and PT . But i am still very confused about the PGTIOU . My understanding is to connect to any backend service , the user requests for a PGT using a ST and once the PGT is available he can generate PTs further . I am a bit confused why the cas server sends PGTIOU , and if if it sends where from the callback URL gets the PGT . More specifically the bold lines below . "A request is sent for a PGT through /serviceValidate or /proxyValidate URI. CAS server can't give PGT back in its response, because its not convinced of the requestor identity. If the requestor identity is the correct identity, then CAS says "IOU (I Owe You) a PGT" and sends PGTIOU. The requestor, having received a PGTIOU in the CAS response, and both a PGT and a PGTIOU from the proxy callback which was given as value of pgturl parameter when request is sent, will use the proxy-granting ticket IOU to correlate the proxy-granting ticket with the validation response. The requestor will then use the proxy-granting ticket for the acquisition of proxy tickets, if the requestor is the correct identity. " Thanks in Advance . Sushant. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
smime.p7s
Description: S/MIME cryptographic signature
