Michal, It sounds like you’re running up against cookie domain issues here. That is, when you’re logging into an internal service your browser is given a Ticket Granting Ticket, or TGT (in the form of an HTTP cookie) for login.example.com. When you sign into an additional internal service, your browser shows the TGT to login.example.com and you’re granted a new service ticket and signed into the consumer service. However, when you later visit login-external.example.com, your browser [quite rightly!] refuses to share the cookie with the other site [it’s not the cookie’s original issuer — the same reason you can’t see my Google cookies when I visit your site] and so CAS treats you as if you’ve not signed in previously.
There are myriad ways of dealing with this, but the easiest would be to simply use the same domain name regardless of backend IP / routing mechanism (login.example.com could still go through your proxy from the outside while routing directly inside). Alternatively, if you really have to use different domain names, rename the outside to something like external.login.example.com and then set the cookie scope to login.example.com, thereby ensuring that regardless of where the user authenticates from he / she will be SSO’d into / through the system. HTH. Sean -- Ne Desit Virtus, Sean R. Baker On Oct 27, 2014, at 6:53 AM, Michal Bruncko <[email protected]> wrote: > Hello > I am successfully managing CAS service within internal network for internal > services. CAS service is available on "login.example.com" DNS (internal name > resolution) and all CASified services are pointing to URL > https://login.example.com/cas/login and everything is works fine. > But we have decided to use same CAS service for our web services available > from internet. Thus I have created external resolvable DNS record > login-external.example.com (pointing to same CAS server via Apache reverse > proxy) and all public web CASified services are pointing to > https://login-external.example.com/cas/login. Authentication is working fine > which seems that CAS data flow is passing correctly. > The only problem is with SSO: if I am trying to access public web service > from internal network - I am redirected to > https://login-external.example.com/cas/login with login request instead of > accepting my CAS ticket already created via > https://login.example.com/cas/login > > How can I get the SSO working in this scenario? Where exactly is the problem > (client-related?(i.e. browser)). > > thanks > > michal > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
