Hi! We are considering using CAS as our main authentication strategy, but I'm not sure it is able to handle our network topology.
Basically, we have two webservers, one of which (A) is handling CAS login and one of which (B) hosts a service that we want users to be able to log on to. Users connect from an internal network, and the CAS login server A is also located on this network, and can use the internal LDAP directory for authentication requests. However, the second webserver B providing the actual service is located on a DMZ which has no access to the internal network. Scenario: * Client uses browser to access B * Client is not logged in and is redirected to A * Client logs in. A verifies credentials with internal LDAP directory * Client is redirected back to B * B needs to validate ticket with A And in this last step comes the problem: since B is on the DMZ with no access to the internal network where A resides, is this scenario possible? It would seem that B needs to have a way to validate the ticket without contacting A for this to work. It seems to me that one would have to add a third server C, a ticket manager, for this to work. C would be located on the DMZ so that both A and B can access it. After authentication on A it would send the ticket to C, and when the user is redirected to B it will validate the ticket against C instead of A. Any ideas? Has anyone come across this before? Is it fixable at all?? /Rickard _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
