Andrew
W2 and W3 are CAS-enabled, so they are able to handle CAS
authentication.
What we need to achieve is that users log in to W1 as they do know,
without CAS, but then, behind the scenes, W1 would get 'something'
from CAS server that would then allow user to navigate to W2 or W3,
without the need for re-authenticating
Jean-Noel
On 15 Jan 2009, at 16:09, Andrew Feller wrote:
Jean-Noel,
Stupid question: W2 and W3 know nothing about CAS, correct?
A-
On 1/15/09 8:52 AM, "Jean-Noël Colin" <[email protected]> wrote:
Andrew
Thanks for your answer... I had a look a the RESTful API, and if I
understand correctly, I'm 'simply' passing the user credentials
from W1 to CAS server, and after successful validation of the
credentials by the CAS server, a ticket is returned that can then
be used by W1 to be passed to W2. Is this correct?
In our case, users already log into W1 and W1 is already designed
to check the credentials. Wouldn't there be a way for W1 to tell
CAS server: "hey, the user has already logged in, could you please
give me a ticket', and CAS server, because it trusts W1, would
provide the ticket without requiring user credentials (at least
pwd) to be passed?
THanks for your help
Jean-Noel
On 15 Jan 2009, at 14:22, Andrew Feller wrote:
Jean-Noel,
It definitely seems possible if you design W1 to use the CAS
3.3.X RESTful API and you are okay with W1 having access to users’
credentials (username and password for example), then you can have
W1 issue the CAS cookie (CASTGC) and the users will never know
about it. If you go with this approach, there are several things
you need to consider:
W1 and CAS server(s) need to be within a subdomain only they have
access to to prevent other servers from accessing the CAS cookie
CAS server(s) with RESTful API should only allow W1 to issues API
calls
In the typical ideal situation, you would never have any
application with access to the cookies that CAS generates because
someone could access this via malicious code and hijack their
session. If your business owners understand the security risk,
then this is what I would probably do.
HTH,
A-
On 1/15/09 2:15 AM, "Jean-Noël Colin" <[email protected]> wrote:
Hello
I was wondering if there was a way to support the setup
described below with CAS.
We have one main website (let's call it W1), through which users
authenticates, using a custom DB (no ldap...). We would like to
add associated websites (W2, W3), so that when users are logged
in in W1, they can SSO to W2 or W3.
The issue is that owners of W1 don't want to have a transfer to
CAS server to authenticate, that would be visible to end-users.
My question would then be: is there a possibility in CAS to
request a ticket without having users directly authenticate to
CAS server. What would need to be achieved is:
user logs into W1 (with no redirect to CAS, only W1)
W1 requests a ticket from CAS server
this ticket is then used to access W2 or W3 from W1
Is this feasible?
Personally, I would prefer that we design the authentication
centrally in CAS, have W1 users authenticate in CAS server, but
ok, business owners are business owners...
Thanks for your help
Jean-Noel Colin
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400
--
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
