Andrew William Petro <[EMAIL PROTECTED]> writes: > > Dom, > > No. Service B cannot determine the identity of the end user without > acquiring and validating a Service Ticket. > > This is a feature. There's a checkbox on the CAS login UI allowing end > users to choose "warn me before logging me in to other services" that > will introduce an interstitial confirmation page to what would otherwise > be a transparent, no-additional-credential-entry-required, > authentication. Requiring interaction with CAS, rather than, say, > exposing an advisory user identity representing cookie, or exposing a > cookie that authenticates the user to future services without additional > interaction with CAS (e.g. a cryptographically signed identity > assertion) would introduce the problem of user identity being revealed > to subsequently visited applications without the user having had a > chance to opt out of this behavior. Among other problems. > > Andrew > > dom wrote: > > Thanks for your reply, Scott. > > > > If I've gotten this correct. (with renew = false) > > > > 1. Client successfully logs into Service A. > > 2. Ticket Granting Ticket is created, added to Ticket Registry. > > 3. Client moved to Service B. > > 4. Service B redirects to CAS, sending Ticket Granting Cookie. > > 5. CAS checks Ticket Registry for Ticket Granting Ticket. > > 6. If Ticket is found and has not expired. > > creates a new Service Ticket for Service B. > > 7. CAS redirects client to Service B without asking for credentials. > > > > If this is correct > > can Service B determine the user name without asking the client for it? > > > > > > > > _______________________________________________ > > Yale CAS mailing list > > [EMAIL PROTECTED] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > >
Thanks for your reply, Andrew. Is the following correct? When a user moves between services and they have cookies enabled, the user does not need to log into each service if the ticket granting ticket hasn't expired. For each service the user visits, the ticket granting ticket is validated and a new service ticket is created for the new service. This service ticket is validated and deleted with the CAS handshake. (Is that correct) If the user is now allowed access to the new service, because CAS has done a handshake using the new Service Ticket, then the new service must have access to the users id. The return value of the CAS Service Ticket handshake contains the user id. (Is that correct) Regards _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
