Hello Sean
thanks for reply. Right, this makes sense and I have to correct it. Yes,
I will use the same DNS name instead. Without complicating other things.
thanks again for your time and help!
michal
On 27. 10. 2014 12:35, Sean Baker wrote:
Michal,
It sounds like you’re running up against cookie domain issues here. That is,
when you’re logging into an internal service your browser is given a Ticket
Granting Ticket, or TGT (in the form of an HTTP cookie) for login.example.com.
When you sign into an additional internal service, your browser shows the TGT
to login.example.com and you’re granted a new service ticket and signed into
the consumer service. However, when you later visit
login-external.example.com, your browser [quite rightly!] refuses to share the
cookie with the other site [it’s not the cookie’s original issuer — the same
reason you can’t see my Google cookies when I visit your site] and so CAS
treats you as if you’ve not signed in previously.
There are myriad ways of dealing with this, but the easiest would be to simply
use the same domain name regardless of backend IP / routing mechanism
(login.example.com could still go through your proxy from the outside while
routing directly inside). Alternatively, if you really have to use different
domain names, rename the outside to something like external.login.example.com
and then set the cookie scope to login.example.com, thereby ensuring that
regardless of where the user authenticates from he / she will be SSO’d into /
through the system.
HTH.
Sean
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
