Dom, Yes.
Each service to which the user wishes to authenticate will need to acquire its very own CAS service ticket. It does this by redirecting the user to cas/login, setting the 'service' request parameter to the URL to which it desires the user to be redirected with the ticket. In the case where the user has an existing valid TGT, the service does not specify "renew" login behavior, and the user has not asked to be notified on authentication, this redirect will be transparent, happening in the blink of an eye. CAS bounces the browser back to the service with a service ticket. The application then validates the service ticket with CAS, obtaining the username. If the application specifies "renew=true", the user will need to re-enter primary credentials to CAS in order to authenticate to the application. If the user specifies "warn=true", CAS will notify the user that he or she is being authenticated even though the TGT is sufficient to authenticate the user to the application. What documentation where could have been enhanced how so that the answers to these questions would be apparent? Andrew > Thanks for your reply, Andrew. > > Is the following correct? > > When a user moves between services and they have cookies enabled, > the user does not need to log into each service if the > ticket granting ticket hasn't expired. For each service the user > visits, the ticket granting ticket is validated and a new service > ticket is created for the new service. This service ticket is > validated and deleted with the CAS handshake. (Is that correct) > > If the user is now allowed access to the new service, because CAS has > done a handshake using the new Service Ticket, then the new service > must have access to the users id. The return value of the CAS > Service Ticket handshake contains the user id. (Is that correct) > > Regards > > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
