Jean-Noel, Stupid question: W2 and W3 know nothing about CAS, correct?
A- On 1/15/09 8:52 AM, "Jean-Noël Colin" <[email protected]> wrote: > Andrew > > Thanks for your answer... I had a look a the RESTful API, and if I understand > correctly, I'm 'simply' passing the user credentials from W1 to CAS server, > and after successful validation of the credentials by the CAS server, a ticket > is returned that can then be used by W1 to be passed to W2. Is this correct? > > In our case, users already log into W1 and W1 is already designed to check the > credentials. Wouldn't there be a way for W1 to tell CAS server: "hey, the user > has already logged in, could you please give me a ticket', and CAS server, > because it trusts W1, would provide the ticket without requiring user > credentials (at least pwd) to be passed? > > THanks for your help > > Jean-Noel > > > On 15 Jan 2009, at 14:22, Andrew Feller wrote: > >> Jean-Noel, >> >> It definitely seems possible if you design W1 to use the CAS 3.3.X RESTful >> API and you are okay with W1 having access to users¹ credentials (username >> and password for example), then you can have W1 issue the CAS cookie (CASTGC) >> and the users will never know about it. If you go with this approach, there >> are several things you need to consider: >> >> >> 1. W1 and CAS server(s) need to be within a subdomain only they have access >> to to prevent other servers from accessing the CAS cookie >> 2. CAS server(s) with RESTful API should only allow W1 to issues API calls >> 3. >> >> In the typical ideal situation, you would never have any application with >> access to the cookies that CAS generates because someone could access this >> via malicious code and hijack their session. If your business owners >> understand the security risk, then this is what I would probably do. >> >> HTH, >> A- >> >> >> On 1/15/09 2:15 AM, "Jean-Noël Colin" <[email protected]> wrote: >> >> >>> Hello >>> >>> I was wondering if there was a way to support the setup described below >>> with CAS. >>> >>> We have one main website (let's call it W1), through which users >>> authenticates, using a custom DB (no ldap...). We would like to add >>> associated websites (W2, W3), so that when users are logged in in W1, they >>> can SSO to W2 or W3. >>> >>> The issue is that owners of W1 don't want to have a transfer to CAS server >>> to authenticate, that would be visible to end-users. >>> >>> My question would then be: is there a possibility in CAS to request a >>> ticket without having users directly authenticate to CAS server. What would >>> need to be achieved is: >>> >>> * user logs into W1 (with no redirect to CAS, only W1) >>> * W1 requests a ticket from CAS server >>> * this ticket is then used to access W2 or W3 from W1 >>> * >>> >>> Is this feasible? >>> >>> Personally, I would prefer that we design the authentication centrally in >>> CAS, have W1 users authenticate in CAS server, but ok, business owners are >>> business owners... >>> >>> Thanks for your help >>> >>> Jean-Noel Colin >>> >>> >>> >>> >>> _______________________________________________ >>> Yale CAS mailing list >>> [email protected] >>> http://tp.its.yale.edu/mailman/listinfo/cas >>> >>> >>> -- >>> Andrew Feller, Analyst >>> LSU University Information Services >>> 200 Frey Computing Services Center >>> Baton Rouge, LA 70803 >>> Office: 225.578.3737 >>> Fax: 225.578.6400 >>> >>> >>> >>> > > -- > Andrew Feller, Analyst > LSU University Information Services > 200 Frey Computing Services Center > Baton Rouge, LA 70803 > Office: 225.578.3737 > Fax: 225.578.6400
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
