Seamless login

Petr Gašparík - AMI Praha a.s.

unread,

Aug 27, 2019, 11:48:08 AM8/27/19

to CAS Community

Hi,

in my proof of concept, I want piece of code (program library) to log in user to CASified application without user's password.

That could be done in this way:

library authenticates to CAS with its login/password

CAS responds with OK/fail

library requests to generate TGT for specified user

CAS responds with TGT

library requests ST via TGT

CAS responds with ST

library forms URL for CASified application with ST
user is logged in to CASified application

I know steps 3-5 are doable through REST + CAS protocol.

What about step 2, how to do that? Can I for example use suggoration for that?

(CASified application means application that use CAS client to get authenticated users from CAS)

best regards

Petr Gašparík

Misagh

unread,

Aug 27, 2019, 3:45:52 PM8/27/19

to CAS Community

Wouldn't step 1 and 2 also be handled using the rest protocol?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd0yUWw42pPzBTgErQkTyoV_u1tszcjg5M7oNwRsM%3D_6Vg%40mail.gmail.com.

Petr Gašparík - AMI Praha a.s.

unread,

Aug 28, 2019, 3:42:17 AM8/28/19

to CAS Community

Hi Misagh,

that's what I don't know for sure.

Can be REST used for issuing TGT for different user than authenticated one? Like "sudo make TGT for userX" ?

I studied wiki, I think sudoer needs to know user's password.

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e‑mail: petr.g...@ami.cz

AMI Praha a.s.
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

AMI Praha a.s.

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně, informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.

út 27. 8. 2019 v 21:45 odesílatel Misagh <misagh....@gmail.com> napsal:

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGSBKkcBb3d0m%3D_oUe-M1PZdUeoEp0%3DUYfZP6o%3DD4%2BbTHL4gHg%40mail.gmail.com.

Petr Gašparík - AMI Praha a.s.

unread,

Aug 28, 2019, 5:50:36 PM8/28/19

to CAS Community

Oh! I know!

https://apereo.github.io/cas/6.0.x/installation/Surrogate-Authentication.html#preselected

It is done simply by +user in REST authentication request, right? Genial!

Petr

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd0yUWw42pPzBTgErQkTyoV_u1tszcjg5M7oNwRsM%3D_6Vg%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

Artur Łaga

unread,

Nov 26, 2019, 8:14:05 AM11/26/19

to CAS Community

Hi,

Would you manage to achieve the scenario you wanted with surrogate mechanism?

I'm interested in the 2nd point from you scenario in particular.

I'm trying to get almost the same working path, but have problem with generating TGT through REST Api - it's looked like the REST Api doesn't accept the surrogate special syntax ([surrogate-userid][separator][primary-userid]). Calling the TGT method as described in https://apereo.github.io/2019/06/12/cas61x-rest-api/#exchange-tokens with surrogate in username param always gives AccountNotFoundException exception.

My CAS instance is configured with surrogate auth enabled - the normal authentication with impersonate is working well.

Regards,

Artur

út 27. 8. 2019 v 21:45 odesílatel Misagh <misagh...@gmail.com> napsal:

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd0yUWw42pPzBTgErQkTyoV_u1tszcjg5M7oNwRsM%3D_6Vg%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

Petr Gašparík - AMI Praha a.s.

unread,

Nov 27, 2019, 4:51:28 AM11/27/19

to CAS Community

Hi,

the solution was not selected for PoC.

--

s pozdravem

Petr Gašparík
konzultant IT bezpečnosti

gsm: [+420] 603 523 860
e‑mail: petr.g...@ami.cz

AMI Praha a.s.
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

AMI Praha a.s.

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně, informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.

út 26. 11. 2019 v 14:14 odesílatel Artur Łaga <artur...@gmail.com> napsal:

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b9a0d8f-ee9f-42f7-9cde-ef57591c4280%40apereo.org.

Artur Łaga

unread,

Dec 11, 2019, 6:34:56 PM12/11/19

to CAS Community

Step 2 could not be handled through REST using surrogate authentication - that is my conclusion after some tests, as I didn't manage to generate TGT for another user.

Is it (i.e. surrogate with REST) not supported "by design" or just not implemented functionality?

Regards,

Artur

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

Reply all

Reply to author

Forward