can a service determine user identity without validating a service ticket?

dom formpost at hotmail.com
Thu May 17 19:18:16 EDT 2007 

Andrew William Petro <apetro at ...> writes:

> 
> Dom,
> 
> No.  Service B cannot determine the identity of the end user without 
> acquiring and validating a Service Ticket.
> 
> This is a feature.  There's a checkbox on the CAS login UI allowing end 
> users to choose "warn me before logging me in to other services" that 
> will introduce an interstitial confirmation page to what would otherwise 
> be a transparent, no-additional-credential-entry-required, 
> authentication.  Requiring interaction with CAS, rather than, say, 
> exposing an advisory user identity representing cookie, or exposing a 
> cookie that authenticates the user to future services without additional 
> interaction with CAS (e.g. a cryptographically signed identity 
> assertion) would introduce the problem of user identity being revealed 
> to subsequently visited applications without the user having had a 
> chance to opt out of this behavior.  Among other problems.
> 
> Andrew
> 
> dom wrote:
> > Thanks for your reply, Scott.
> >
> > If I've gotten this correct. (with renew = false)
> >
> > 1. Client successfully logs into Service A.
> > 2. Ticket Granting Ticket is created, added to Ticket Registry.
> > 3. Client moved to Service B.
> > 4. Service B redirects to CAS, sending Ticket Granting Cookie.
> > 5. CAS checks Ticket Registry for Ticket Granting Ticket.
> > 6. If Ticket is found and has not expired. 
> >    creates a new Service Ticket for Service B.
> > 7. CAS redirects client to Service B without asking for credentials.
> >
> > If this is correct
> > can Service B determine the user name without asking the client for it?
> >
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at ...
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >   
> 
> 

Thanks for your reply, Andrew.

Is the following correct?

When a user moves between services and they have cookies enabled, 
the user does not need to log into each service if the 
ticket granting ticket hasn't expired. For each service the user 
visits, the ticket granting ticket is validated and a new service 
ticket is created for the new service. This service ticket is 
validated and deleted with the CAS handshake. (Is that correct)

If the user is now allowed access to the new service, because CAS has 
done a handshake using the new Service Ticket, then the new service 
must have access to the users id. The return value of the CAS 
Service Ticket handshake contains the user id. (Is that correct)

Regards

More information about the cas mailing list