can a service determine user identity without validating a service ticket?

[Andrew William Petro]

Dom,

Yes.

Each service to which the user wishes to authenticate will need to 
acquire its very own CAS service ticket.  It does this by redirecting 
the user to cas/login, setting the 'service' request parameter to the 
URL to which it desires the user to be redirected with the ticket.

In the case where the user has an existing valid TGT, the service does 
not specify "renew" login behavior, and the user has not asked to be 
notified on authentication, this redirect will be transparent, happening 
in the blink of an eye.  CAS bounces the browser back to the service 
with a service ticket.

The application then validates the service ticket with CAS, obtaining 
the username.


If the application specifies "renew=true", the user will need to 
re-enter primary credentials to CAS in order to authenticate to the 
application.  If the user specifies "warn=true", CAS will notify the 
user that he or she is being authenticated even though the TGT is 
sufficient to authenticate the user to the application.


What documentation where could have been enhanced how so that the 
answers to these questions would be apparent?

Andrew



> Thanks for your reply, Andrew.
>
> Is the following correct?
>
> When a user moves between services and they have cookies enabled, 
> the user does not need to log into each service if the 
> ticket granting ticket hasn't expired. For each service the user 
> visits, the ticket granting ticket is validated and a new service 
> ticket is created for the new service. This service ticket is 
> validated and deleted with the CAS handshake. (Is that correct)
>
> If the user is now allowed access to the new service, because CAS has 
> done a handshake using the new Service Ticket, then the new service 
> must have access to the users id. The return value of the CAS 
> Service Ticket handshake contains the user id. (Is that correct)
>
> Regards
>
>
>