TGC and Principal
Scott Battaglia
scott.battaglia at gmail.com
Thu May 17 13:38:09 EDT 2007
For a TGT to be valid it must:
(a) Exist
and
(b) Not Be Expired
If service B were to redirect to CAS and opt out of single sign on (i.e.
renew=true), CAS would ask the user to provide their credentials again. In
that case, if the newly provided Principal and the principal that exists
through the current single sign on session do not match, the old single sign
on session would be destroyed and a new one created.
Otherwise to confirm the validity of a Ticket Granting Ticket, the user name
is not checked.
-Scott
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
On 5/17/07, dom <formpost at hotmail.com> wrote:
>
> Conceptual question.
>
> A client successfully logs into service-A. A Ticket-Granting Cookie is
> added to
> the clients browser.
>
> The client then moves to service-B, which redirects to CAS and CAS finds
> the TGC.
>
> The TGC is inspected and if valid generates a new Service Ticket for
> service-B.
>
> As far as I can tell, from docs, api, etc, for a TGC to be valid it must
> be in
> the ticket registry, it must not have expired and the principals must
> match.
>
> It is the last point that I'm having trouble with: Matching principals.
>
> Can someone please explain how service_B gives the principal to CAS in
> order for
> CAS to match them in the validation of the TGC.
>
> Many Thanks.
>
>
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070517/470b9afa/attachment.html
More information about the cas
mailing list