On Wed, 21 Jan 2015, Zac Harvey wrote:
I'm reading
https://wiki.jasig.org/display/casum/ticket+expiration+policy which
explains expiration policy as:
"TGT expiration policy governs the time span during which an
authenticated user may grant STs with a valid (non-expired) TGT without
having to reauthenticate. An attempt to grant a ST with an expired TGT
would require the user to reauthenticate to obtain a new (valid) TGT.?"
According to that same article, the default is 2 hours.
Which does this mean:
1) That the user will essentially be auto-logged-out after 2 hours?; or
2) Something else?
If the former, what is the harm to setting this to a longer value, such
as 8hours, to ensure no one is logged out of their app for an entire
business day?
When the TGT expires, the user will be asked to re-authenticate the next
time they arrive at the CAS login page. Here is an example:
1. User arrives at work at 8am and loads up app1 in their browser. They
are redirected to CAS for authentication, get a TGT (cookie), and are
successfully authenticated to app1.
2. At 9am, user loads up app2 in their browser. They are redirected to
CAS for authentication. CAS validates their TGT (the cookie). It's still
valid, so they are not asked for their username/password again. The user
is successfully authenticated to app2.
3. At 2pm, user loads up app3 in their browser. They are redirected to
CAS for authentication. CAS tries to validate their TGT, but it is no
longer valid (older than 2 hours). The user is prompted to enter their
username/password. CAS generates a new TGT, and the user is successfully
authenticated to app3.
The TGT is the part that makes CAS-enabled applications behave like
Single-Sign-On (SSO).
Andy
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
