The reason that CAS works across multiple domains (and most other Single Sign On solutions don't) is due to the redirects instead of a cookie-based implementation.
If using a cookie isn't possible due to multiple domains, your best bet that I know of is to create enhanced clients that can filter the gateway feature based on known bots. -Scott On Dec 20, 2007 11:47 PM, Kristin Coles <[EMAIL PROTECTED]> wrote: > I have just came to know that a cookie would not work for two top level > domains but would work for a domain and its sub-domains. Now I understand > exactly what Scott meant by a "Poor man's gateway". :) Thank you Scott. You > are genius. :) > > In our case, we host xyz.com, subdomain.xyz.com and cas.xyz.com. So the > "Poor man's Gateway" should fit our case fine. > > However, we have a plan to host multiple top-level domains in future. > Hence this solution would be a good temporary fix. Meanwhile we will have to > research what a long-term solution would be. > > Thanks for the help Scott. Any other ideas are welcome. > > Regards, > Shashi > > > > > > On Dec 20, 2007 7:43 PM, Kristin Coles <[EMAIL PROTECTED]> wrote: > > > Scott, Dale and Russ, > > > > Thanks for the responses guys! I really really appreciate the feedback. > > > > I understood the UserAgent Idea which Scott suggested, which I have > > outlined below. However I have not yet explicitly created a cookie on the > > client end yet. So I do not completely understand the implications of "Poor > > man's Gateway" idea that Scott suggested or the idea suggested by Dale > > (employed by mod_auth_cas) as both involve setting cookies. I am sure its a > > simple thing to learn and I will learn in soon. Probably this would be a > > dumb question but would web crawlers allow you to create cookies? > > > > You've all got me moving once again. :) Will contact once I learn more > > about the cookie idea. This is a great forum!!! > > > > cheers, > > Kristin > > > > PS: UserAgent idea.... > > Step 1. Identify a crawler using the UserAgent string (with the help of > > a UserAgent list for the important crawlers out there). > > Step 2: If crawler then DO NOT redirect to CAS. Just create a > > IS-A-CRAWLER=YES object in the HTTP session and let the crawler get the page > > it wants. > > Step 3: If not a crawler then create IS-A-CRAWLER=NO object in the > > session and redirect to CAS as usual. > > > > For subsequent page requests by user/crawler, we will check for > > IS-A-CRAWLER object and follow step 2 or step 3. > > > > > > > > > > > > On Dec 20, 2007 6:18 PM, Dale Ogilvie <[EMAIL PROTECTED]> > > wrote: > > > > > Perhaps I'm misunderstanding the requirement but... > > > > > > The way some clients handle this is to utilize a application specific > > > cookie for all user authentication after the first. The flow goes > > > something > > > like this: > > > > > > 1. Client browses to secure app for the first time > > > 2. App redirects to CAS because there is no valid "app user cookie" > > > 3. CAS returns a service ticket > > > 4. App validates ST, then sets user specific "app user cookie", and > > > allows access > > > 5. Client returns to app which accepts the passed "app user cookie" as > > > the auth credential and allows access > > > > > > This is a one-time authentication with CAS, to obtain a application > > > specific cookied credential which is used thereafter. > > > > > > mod_auth_cas uses this technique I believe. > > > > > > Dale > > > > > > ------------------------------ > > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > > ] *On Behalf Of *Kristin Coles > > > *Sent:* Friday, 21 December 2007 12:46 p.m. > > > *To:* [email protected] > > > *Subject:* Are CAS redirects incompatible with Google web crawler? > > > > > > Hi guys, > > > I have a working Single Sign On solution (which wouldn't have been > > > possible without this forum). However this made our webpages incompatible > > > with Google's web crawler (Googlebot)? When I use "Google Webmaster tools" > > > too see our website logs, I now see thousands of Redirect error messages > > > (which weren't there before the Single Sign On). > > > > > > http://www.google.com/support/webmasters/bin/answer.py?answer=35157 > > > > > > According to the above link, I should "Minimize the number of > > > redirects needed to follow a link from one page to another" to avoid the > > > Redirect error messages. > > > > > > Right now, I am redirecting 3 times for every page visit. > > > 1. Redirect to the CAS server to get a ticket. > > > 2. Redirect back to the page (service url) from the CAS server > > > 3. Self-redirect without the ticket parameter > > > > > > Is this a common problem with a simple solution? Can anyone please > > > tell me how to get over this hurdle. > > > > > > Thank you! > > > Kristin > > > > > > _______________________________________________ > > > Yale CAS mailing list > > > [email protected] > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
