For a TGT to be valid it must: (a) Exist and (b) Not Be Expired
If service B were to redirect to CAS and opt out of single sign on (i.e. renew=true), CAS would ask the user to provide their credentials again. In that case, if the newly provided Principal and the principal that exists through the current single sign on session do not match, the old single sign on session would be destroyed and a new one created. Otherwise to confirm the validity of a Ticket Granting Ticket, the user name is not checked. -Scott -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia On 5/17/07, dom <[EMAIL PROTECTED]> wrote:
Conceptual question. A client successfully logs into service-A. A Ticket-Granting Cookie is added to the clients browser. The client then moves to service-B, which redirects to CAS and CAS finds the TGC. The TGC is inspected and if valid generates a new Service Ticket for service-B. As far as I can tell, from docs, api, etc, for a TGC to be valid it must be in the ticket registry, it must not have expired and the principals must match. It is the last point that I'm having trouble with: Matching principals. Can someone please explain how service_B gives the principal to CAS in order for CAS to match them in the validation of the TGC. Many Thanks. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
