SSO authentication without keeping a session active

[Ted Fisher]

I’m trying to re-phrase this once more.  We have a need to have some CAS services authenticate with CAS but not start an SSO session.  So, effectively as soon as the service ticket is created the TGT would be expired  (or removed) so that no session existed from that point.  At one point I thought I saw a discussion of doing just that, deleting the TGT after the ST is created.  But, I can’t find any reference to that now.

 

Is anyone familiar with this concept or know a way to make it happen?

 

Thanks.

 

Ted

 

From: cas-...@apereo.org <cas-...@apereo.org> On Behalf Of Ted Fisher
Sent: Thursday, March 22, 2018 7:47 AM
To: cas-...@apereo.org
Subject: [cas-user] Does anyone use ssoEnabled in service definitions

 

I’d like to try to rephrase my question since I only got one response:

 

Is anyone using ssoEnabled set false in service definitions to effect the same as renew=true from the client side?

 

I haven’t been able to get it to work and even insane levels of logging don’t reveal much, which puts me at a dead end.

 

Can anyone suggest what the problem might be or where I could look for how to get it working?

 

Thanks.

 

Ted Fisher

 

From: cas-...@apereo.org <cas-...@apereo.org> On Behalf Of Ted Fisher
Sent: Tuesday, March 20, 2018 10:09 AM
To: cas-...@apereo.org
Subject: [cas-user] ssoEnabled in service definition not working correctly

 

 

We are running CAS 4.1.5 and we need to make a couple services do authentication only through CAS without creating an SSO session – that is force renew=true from the CAS server and do not create a session after authenticating (no TGT).  My understanding of how to do this (per https://apereo.github.io/cas/4.2.x/installation/Configuring-SSO-Session-Cookie.html)  is to set create.sso.renewed.authn=false in cas.properties and include these in the service definition:

   "accessStrategy" : {

    "@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",

    "enabled" : true,

    "ssoEnabled" : false

   },

 

However, when I do this it does not allow authentication at all with the following complaint in the log:

[org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceManagement: Service [https://ssotest.bgsu.edu … is not allowed to use SSO.

Am I missing something?  Can anyone suggest why it is not processing the service parameters as it seems it should?

 

Thanks.

 

Ted Fisher

ITS, BGSU

 

 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR05MB29339FFE13545423F8F44CA8C0AB0%40CY4PR05MB2933.namprd05.prod.outlook.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR05MB293322A0CE40570D36D9C929C0A90%40CY4PR05MB2933.namprd05.prod.outlook.com.

[Snoke, Nancy]

You can on your supplication / service using CAS set the renew flag to true and then it won’t create SSO session.

 

Nancy

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR05MB293360A6A4774F199BA3660EC0AC0%40CY4PR05MB2933.namprd05.prod.outlook.com.

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain confidential, privileged and/or proprietary information which is solely for the use of the intended recipient(s). Any review, use, disclosure or retention by others is strictly prohibited. If you are not an intended recipient, please contact the sender and delete this e-mail, any attachments and all copies.

Permanent General Assurance Corporation | Permanent General Assurance Corporation of Ohio | The General Automobile Insurance Company, Inc. | Old American County Mutual Fire Insurance Company | Home Office: 2636 Elm Hill Pike, Nashville, TN 37214

[Snoke, Nancy]

Really weird typo here below.  substitute application for supplication.  You can on your application / service using CAS set the renew flag to true and then it won’t create SSO session.

 

Although I sometimes feel like I am trying to supplicate the cas server to behave how I want.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d9acb3c35ff04d25a9cba1f74a2906e4%40TGI-EX13MBX02.pgac.com.