-Scott
On 11/11/06, Rickard Oberg <[EMAIL PROTECTED]> wrote:
Hi!
We are considering using CAS as our main authentication strategy, but
I'm not sure it is able to handle our network topology.
Basically, we have two webservers, one of which (A) is handling CAS
login and one of which (B) hosts a service that we want users to be able
to log on to. Users connect from an internal network, and the CAS login
server A is also located on this network, and can use the internal LDAP
directory for authentication requests. However, the second webserver B
providing the actual service is located on a DMZ which has no access to
the internal network.
Scenario:
* Client uses browser to access B
* Client is not logged in and is redirected to A
* Client logs in. A verifies credentials with internal LDAP directory
* Client is redirected back to B
* B needs to validate ticket with A
And in this last step comes the problem: since B is on the DMZ with no
access to the internal network where A resides, is this scenario
possible? It would seem that B needs to have a way to validate the
ticket without contacting A for this to work. It seems to me that one
would have to add a third server C, a ticket manager, for this to work.
C would be located on the DMZ so that both A and B can access it. After
authentication on A it would send the ticket to C, and when the user is
redirected to B it will validate the ticket against C instead of A.
Any ideas? Has anyone come across this before? Is it fixable at all??
/Rickard
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
