Andrew
Thanks for your answer... I had a look a the RESTful API, and if I
understand correctly, I'm 'simply' passing the user credentials from
W1 to CAS server, and after successful validation of the credentials
by the CAS server, a ticket is returned that can then be used by W1 to
be passed to W2. Is this correct?
In our case, users already log into W1 and W1 is already designed to
check the credentials. Wouldn't there be a way for W1 to tell CAS
server: "hey, the user has already logged in, could you please give me
a ticket', and CAS server, because it trusts W1, would provide the
ticket without requiring user credentials (at least pwd) to be passed?
THanks for your help
Jean-Noel
On 15 Jan 2009, at 14:22, Andrew Feller wrote:
Jean-Noel,
It definitely seems possible if you design W1 to use the CAS 3.3.X
RESTful API and you are okay with W1 having access to users’
credentials (username and password for example), then you can have
W1 issue the CAS cookie (CASTGC) and the users will never know about
it. If you go with this approach, there are several things you need
to consider:
W1 and CAS server(s) need to be within a subdomain only they have
access to to prevent other servers from accessing the CAS cookie
CAS server(s) with RESTful API should only allow W1 to issues API
calls
In the typical ideal situation, you would never have any application
with access to the cookies that CAS generates because someone could
access this via malicious code and hijack their session. If your
business owners understand the security risk, then this is what I
would probably do.
HTH,
A-
On 1/15/09 2:15 AM, "Jean-Noël Colin" <[email protected]> wrote:
Hello
I was wondering if there was a way to support the setup described
below with CAS.
We have one main website (let's call it W1), through which users
authenticates, using a custom DB (no ldap...). We would like to add
associated websites (W2, W3), so that when users are logged in in
W1, they can SSO to W2 or W3.
The issue is that owners of W1 don't want to have a transfer to CAS
server to authenticate, that would be visible to end-users.
My question would then be: is there a possibility in CAS to request
a ticket without having users directly authenticate to CAS server.
What would need to be achieved is:
user logs into W1 (with no redirect to CAS, only W1)
W1 requests a ticket from CAS server
this ticket is then used to access W2 or W3 from W1
Is this feasible?
Personally, I would prefer that we design the authentication
centrally in CAS, have W1 users authenticate in CAS server, but ok,
business owners are business owners...
Thanks for your help
Jean-Noel Colin
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
