validating service ticket

Scott Battaglia scott.battaglia at gmail.com
Mon Sep 22 21:41:54 EDT 2008 

The only thing that has access to the TGT is the CAS server.  The user's
browser has access to a thing unfortunately named TGC which is really just
the identifier for the TGT (i.e. if you called
ticketGrantingTicket.getId()).
If a user has initiated a single sign on session with CAS then if they go to
site B and the SSO session is still valid they will not be asked to log back
in.

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia


On Mon, Sep 22, 2008 at 9:30 PM, Michael Johnston <lastobelus at mac.com>wrote:

> However, TGTs and TGCs are connected, correct? So if site a gets a TGT and
> site b has a cas client, the user will not see a login screen unless they
> logout or site a deletes the TGT? I'm going to find out the answer to this
> in about 10 more minutes of work I guess...I HOPE that is the way it works.
>
> Cheerio,
>
> Michael Johnston
> lastobelus at mac.com
>
>
>
>
> On 20-Aug-08, at 7:31 PM, Scott Battaglia wrote:
>
> Jason,
>
> Ticket Granting Tickets are the SSO session while Service Tickets are the
> one time use tickets to allow a service to validate a user with the CAS
> server.  So each service that a user attempts to access would need its own
> service tickets (which can only be validated once).  If your applications
> maintain their own session its up to them to ensure that they always know
> someone is logged in to that application.  If an application is stateless
> (i.e. doesn't use sessions), then you would need a Service Ticket for each
> request to the application.
>
> TGTs are a way of making sure the user isn't prompted to provide their
> credentials each time they log in.
>
> -Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Wed, Aug 20, 2008 at 7:35 PM, Jason Roscoe <jroscoe at riteaid.com> wrote:
>
>>  Yeah, I just read that.  So for single sign on, we need to generate a
>> new service ticket using the TGT?  For example, I have a site at
>> www.sitea.com.  I login to this site, so I have a TGT ticket and a
>> service ticket.  I go to site that is at yyy.sitea.com.  They can
>> validate the service ticket.  If the user comes back to www.sitea.com,
>> then they need to generate a new service ticket?
>>
>> Right now, we are storing the service ticket and the TGT ticket in a
>> cookie.  How would we do SSO using an external site, say a site at
>> www.siteb.com?
>>
>> Thanks again for all the help.  It is greatly appreciated!!
>> ------------------------------
>> *From:* cas-bounces at tp.its.yale.edu [cas-bounces at tp.its.yale.edu] On
>> Behalf Of Adam Rybicki [arybicki at unicon.net]
>> *Sent:* Wednesday, August 20, 2008 7:01 PM
>> *To:* Yale CAS mailing list
>> *Subject:* Re: validating service ticket
>>
>>  You can't.  Service tickets are single-use only.
>>
>> Jason Roscoe wrote:
>>
>>  I have successfully generated a service ticket using CAS 3.3 and the RESTful API.  Now, when I try to validate that ticket, calling http://localhost:9009/cas/serviceValidate?service=http://localhost:8082/xxx/login.jsf&ticket=ST-1-CfHBK93WV7kbR4U6PFfI-cas, the first time it returns my user.  If I try to validate the ticket a second time, it says:
>>
>>
>>
>> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
>>
>>                <cas:authenticationFailure code='INVALID_TICKET'>
>>
>>                                ticket &#039;ST-1-CfHBK93WV7kbR4U6PFfI-cas&#039; not recognized
>>
>>                </cas:authenticationFailure>
>>
>> </cas:serviceResponse>
>>
>>
>>
>> How do I validate a ticket more than once?
>>
>>
>> Thanks.
>>
>>
>> ------------------------------
>> Disclaimer: This e-mail message is intended only for the personal use of
>> the recipient(s) named above. If you are not an intended recipient, you
>> may not review, copy or distribute this message. If you have received this
>> communication in error, please notify us immediately by e-mail and delete
>> the original message.
>>
>> This e-mail expresses views only of the sender, which are not to be
>> attributed to Rite Aid Corporation and may not be copied or distributed
>> without this statement.
>>
>> ------------------------------
>> _______________________________________________
>> Yale CAS mailing listcas at tp.its.yale.eduhttp://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>> ------------------------------
>> Disclaimer: This e-mail message is intended only for the personal use of
>> the recipient(s) named above. If you are not an intended recipient, you
>> may not review, copy or distribute this message. If you have received this
>> communication in error, please notify us immediately by e-mail and delete
>> the original message.
>>
>> This e-mail expresses views only of the sender, which are not to be
>> attributed to Rite Aid Corporation and may not be copied or distributed
>> without this statement.
>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080922/5bba4e51/attachment.html

More information about the cas mailing list