Jean-Noel, It definitely seems possible if you design W1 to use the CAS 3.3.X RESTful API and you are okay with W1 having access to users¹ credentials (username and password for example), then you can have W1 issue the CAS cookie (CASTGC) and the users will never know about it. If you go with this approach, there are several things you need to consider:
1. W1 and CAS server(s) need to be within a subdomain only they have access to to prevent other servers from accessing the CAS cookie 2. CAS server(s) with RESTful API should only allow W1 to issues API calls In the typical ideal situation, you would never have any application with access to the cookies that CAS generates because someone could access this via malicious code and hijack their session. If your business owners understand the security risk, then this is what I would probably do. HTH, A- On 1/15/09 2:15 AM, "Jean-Noël Colin" <[email protected]> wrote: > Hello > > I was wondering if there was a way to support the setup described below with > CAS. > > We have one main website (let's call it W1), through which users > authenticates, using a custom DB (no ldap...). We would like to add associated > websites (W2, W3), so that when users are logged in in W1, they can SSO to W2 > or W3. > > The issue is that owners of W1 don't want to have a transfer to CAS server to > authenticate, that would be visible to end-users. > > My question would then be: is there a possibility in CAS to request a ticket > without having users directly authenticate to CAS server. What would need to > be achieved is: > * user logs into W1 (with no redirect to CAS, only W1) > * W1 requests a ticket from CAS server > * this ticket is then used to access W2 or W3 from W1 > > Is this feasible? > > Personally, I would prefer that we design the authentication centrally in CAS, > have W1 users authenticate in CAS server, but ok, business owners are business > owners... > > Thanks for your help > > Jean-Noel Colin > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- > Andrew Feller, Analyst > LSU University Information Services > 200 Frey Computing Services Center > Baton Rouge, LA 70803 > Office: 225.578.3737 > Fax: 225.578.6400
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
