and start to slowly understand how proxying works, but I still don't understand why it has to be so complicated?
Andrew Petro is our resident expert on proxying, so I'm sure he could provide a thoughtful answer. I'll take a shot, though, for what it's worth.
Why isn't it possible to forward the service ticket to another application and allow this other application to validate this service ticket a second (or third or ...) time?
Because we want CAS to broker the interaction between proxy requestor and proxy consumer. With CAS in the middle we have the opportunity to enforce various policies with regard to proxy chaining. In your example there's no explicit control over who handles the proxy ticket and no trusted authority to document the handlers. CAS acts a broker to control and record those interactions so, if proxying is allowed by policy, clients can trust the proxy chain and choose to accept or deny it.
M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
