Development Het Baken (Netherlands) wrote: > After a lot of research, we decided to use CAS as our SSO solution. We want a > non-interactive login, using SPNEGO. I'm preparing for the implementation now. > I don't understand the relationship between the Browser and CAS, when the > user > logs in via Active Directory.
Mainly the user logs in at his workstation and retrieves a Kerberos Ticket Granting Ticket (KRB-TGT). > The CAS protocol is saying: > 3.6.1. ticket-granting cookie properties > Ticket-granting cookies MUST be set to expire at the end of the client's > browser session. This is the CAS ticket granting cookie (CAS-TGC) which will be set after a successful login to CAS no matter which authentication method is used. The CAS-TGC has nothing to do with the KRB-TGT. But in case of SPNEGO/Kerberos for CAS login the KRB-TGT is used by the browser to obtain a Kerberos service ticket for authenticating against CAS. > Does this mean that a browser will open after the login? Or how does this > work? You use the browser anyway to access a protected web application and you will be redirected to CAS login which triggers the SPNEGO authentication. Ciao, Michael. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
