CAS-Server SSO - Proxying a valid scenario?

[Mark]

I'm currently trying to figure out wether or not the following scenario can be done with a CAS-Server setup:

 - Suppose I got 3 Websites / -apps (A,B,C)
 - All three are setup (via plugins) so that their login systems us the CAS-Server (already working fine)

To me this seems like rather basic CAS-stuff. Now two more advanced "problems":

 - After I logged in to Website A and I open Website B I'm not already logged in but I do have to click "Login" again. I guess that's because CAS issues the login and cookies based the indidvidual service that called it and there's no way one can be auto-logged in to all sites connected to the CAS-login once you logged in to the first site?
 - Is ticket-proxying a way to achieve this? As far as I understood, Proxying tickets would mean that (in my example) A on login also asks CAS for a proxy ticket for B which A would present to B upon calling something like a webservice at B. Which would rule out proxying for my scenario.

[William G. Thompson, Jr.]

Yes, proxy tickets are designed to allow a service to call another
service on behalf of a user, so that is not what you are looking for.

In order to achieve the SSO behavior from Website A to Website B you
can use gateway mode on the homepage of B. This will check to see if
there is a CAS SSO session, and if so issue a ST for B and log the
user in. Another approach would be to have the URL in A go to a CAS
protected URL at B, which should also initiated login.

https://wiki.jasig.org/display/CAS/gateway

Best,
Bill

> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To post to this group, send email to cas-...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/29247a7e-9c38-47e1-b70d-c6ff246c1769%40apereo.org.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Mark]

Hi,

thanks for the quick reply.

you can use gateway mode on the homepage of B. This will check to see if
there is a CAS SSO session, and if so issue a ST for B and log the
user in.

Hmm, I'll check this one out but how is the check for the CAS-login initiated in gateway mode? This would still happen when trying to either access a protected part of the page or through clicking a "Login"-Button and not just by opening the main page of the site?

[William G. Thompson, Jr.]

The sequence diagram here describes the setup pretty well: https://wiki.jasig.org/display/CASC/CAS+Java+Client+Gateway+Example

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f5dcb4c5-5498-4c03-8d38-1504266ebc92%40apereo.org.

[Mark]

Thanks again, I think I'm starting to get the picture :-)

Am I correct if I say that the CAS-Server itself does not need any extra / special configuration for gateway-ing because all relevant stuff is done in the client?

[William G. Thompson, Jr.]

Yes, CAS server supports gateway natively as part of the CAS Protocol
spec...no special config needed on the server.

> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To post to this group, send email to cas-...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit

> https://groups.google.com/a/apereo.org/d/msgid/cas-user/39a94789-c4d1-450d-8a25-ad9d5b0a573c%40apereo.org.