The only thing that has access to the TGT is the CAS server. The user's browser has access to a thing unfortunately named TGC which is really just the identifier for the TGT (i.e. if you called ticketGrantingTicket.getId()). If a user has initiated a single sign on session with CAS then if they go to site B and the SSO session is still valid they will not be asked to log back in.
-Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Mon, Sep 22, 2008 at 9:30 PM, Michael Johnston <[EMAIL PROTECTED]>wrote: > However, TGTs and TGCs are connected, correct? So if site a gets a TGT and > site b has a cas client, the user will not see a login screen unless they > logout or site a deletes the TGT? I'm going to find out the answer to this > in about 10 more minutes of work I guess...I HOPE that is the way it works. > > Cheerio, > > Michael Johnston > [EMAIL PROTECTED] > > > > > On 20-Aug-08, at 7:31 PM, Scott Battaglia wrote: > > Jason, > > Ticket Granting Tickets are the SSO session while Service Tickets are the > one time use tickets to allow a service to validate a user with the CAS > server. So each service that a user attempts to access would need its own > service tickets (which can only be validated once). If your applications > maintain their own session its up to them to ensure that they always know > someone is logged in to that application. If an application is stateless > (i.e. doesn't use sessions), then you would need a Service Ticket for each > request to the application. > > TGTs are a way of making sure the user isn't prompted to provide their > credentials each time they log in. > > -Scott > > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > On Wed, Aug 20, 2008 at 7:35 PM, Jason Roscoe <[EMAIL PROTECTED]> wrote: > >> Yeah, I just read that. So for single sign on, we need to generate a >> new service ticket using the TGT? For example, I have a site at >> www.sitea.com. I login to this site, so I have a TGT ticket and a >> service ticket. I go to site that is at yyy.sitea.com. They can >> validate the service ticket. If the user comes back to www.sitea.com, >> then they need to generate a new service ticket? >> >> Right now, we are storing the service ticket and the TGT ticket in a >> cookie. How would we do SSO using an external site, say a site at >> www.siteb.com? >> >> Thanks again for all the help. It is greatly appreciated!! >> ------------------------------ >> *From:* [EMAIL PROTECTED] [EMAIL PROTECTED] On >> Behalf Of Adam Rybicki [EMAIL PROTECTED] >> *Sent:* Wednesday, August 20, 2008 7:01 PM >> *To:* Yale CAS mailing list >> *Subject:* Re: validating service ticket >> >> You can't. Service tickets are single-use only. >> >> Jason Roscoe wrote: >> >> I have successfully generated a service ticket using CAS 3.3 and the >> RESTful API. Now, when I try to validate that ticket, calling >> http://localhost:9009/cas/serviceValidate?service=http://localhost:8082/xxx/login.jsf&ticket=ST-1-CfHBK93WV7kbR4U6PFfI-cas, >> the first time it returns my user. If I try to validate the ticket a >> second time, it says: >> >> >> >> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> >> >> <cas:authenticationFailure code='INVALID_TICKET'> >> >> ticket >> 'ST-1-CfHBK93WV7kbR4U6PFfI-cas' not recognized >> >> </cas:authenticationFailure> >> >> </cas:serviceResponse> >> >> >> >> How do I validate a ticket more than once? >> >> >> Thanks. >> >> >> ------------------------------ >> Disclaimer: This e-mail message is intended only for the personal use of >> the recipient(s) named above. If you are not an intended recipient, you >> may not review, copy or distribute this message. If you have received this >> communication in error, please notify us immediately by e-mail and delete >> the original message. >> >> This e-mail expresses views only of the sender, which are not to be >> attributed to Rite Aid Corporation and may not be copied or distributed >> without this statement. >> >> ------------------------------ >> _______________________________________________ >> Yale CAS mailing [EMAIL PROTECTED]://tp.its.yale.edu/mailman/listinfo/cas >> >> >> ------------------------------ >> Disclaimer: This e-mail message is intended only for the personal use of >> the recipient(s) named above. If you are not an intended recipient, you >> may not review, copy or distribute this message. If you have received this >> communication in error, please notify us immediately by e-mail and delete >> the original message. >> >> This e-mail expresses views only of the sender, which are not to be >> attributed to Rite Aid Corporation and may not be copied or distributed >> without this statement. >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
