CAS Authentication without going to CAS Server?

Andrew Feller afelle1 at lsu.edu
Thu Jan 15 10:09:21 EST 2009 

Jean-Noel,

Stupid question: W2 and W3 know nothing about CAS, correct?

A-

On 1/15/09 8:52 AM, "Jean-Noël Colin" <jnc at info.fundp.ac.be> wrote:

> Andrew
> 
> Thanks for your answer... I had a look a the RESTful API, and if I understand
> correctly, I'm 'simply' passing the user credentials from W1 to CAS server,
> and after successful validation of the credentials by the CAS server, a ticket
> is returned that can then be used by W1 to be passed to W2. Is this correct?
> 
> In our case, users already log into W1 and W1 is already designed to check the
> credentials. Wouldn't there be a way for W1 to tell CAS server: "hey, the user
> has already logged in, could you please give me a ticket', and CAS server,
> because it trusts W1, would provide the ticket without requiring user
> credentials (at least pwd) to be passed?
> 
> THanks for your help
> 
> Jean-Noel
> 
> 
> On 15 Jan 2009, at 14:22, Andrew Feller wrote:
> 
>>  Jean-Noel,
>>  
>>  It definitely seems possible if you design W1 to use the CAS 3.3.X RESTful
>> API and you are okay with W1 having access to users¹ credentials (username
>> and password for example), then you can have W1 issue the CAS cookie (CASTGC)
>> and the users will never know about it.  If you go with this approach, there
>> are several things you need to consider:
>>  
>>  
>> 1. W1 and CAS server(s) need to be within a subdomain only they have access
>> to to prevent other servers from accessing the CAS cookie
>> 2. CAS server(s) with RESTful API should only allow W1 to issues API calls
>> 3.  
>> 
>>  In the typical ideal situation, you would never have any application with
>> access to the cookies that CAS generates because someone could access this
>> via malicious code and hijack their session.  If your business owners
>> understand the security risk, then this is what I would probably do.
>>  
>>  HTH,
>>  A- 
>>  
>>  
>>  On 1/15/09 2:15 AM, "Jean-Noël Colin" <jnc at info.fundp.ac.be> wrote:
>>  
>>  
>>> Hello
>>>  
>>>  I was wondering if there was a way to support the setup described below
>>> with CAS.
>>>  
>>>  We have one main website (let's call it W1), through which users
>>> authenticates, using a custom DB (no ldap...). We would like to add
>>> associated websites (W2, W3), so that when users are logged in in W1, they
>>> can SSO to W2 or W3.
>>>  
>>>  The issue is that owners of W1 don't want to have a transfer to CAS server
>>> to authenticate, that would be visible to end-users.
>>>  
>>>  My question would then be: is there a possibility in CAS to request a
>>> ticket without having users directly authenticate to CAS server. What would
>>> need to be achieved is:
>>>  
>>> * user logs into W1 (with no redirect to CAS, only W1)
>>> * W1 requests a ticket from CAS server
>>> * this ticket is then used to access W2 or W3 from W1
>>> *  
>>> 
>>>  Is this feasible?
>>>  
>>>  Personally, I would prefer that we design the authentication centrally in
>>> CAS, have W1 users authenticate in CAS server, but ok, business owners are
>>> business owners...
>>>  
>>>  Thanks for your help
>>>  
>>>  Jean-Noel Colin
>>>  
>>>  
>>>  
>>> 
>>> _______________________________________________
>>>  Yale CAS mailing list
>>>  cas at tp.its.yale.edu
>>>  http://tp.its.yale.edu/mailman/listinfo/cas
>>>  
>>> 
>>>  -- 
>>>  Andrew Feller, Analyst
>>>  LSU University Information Services
>>>  200 Frey Computing Services Center
>>>  Baton Rouge, LA 70803
>>>  Office: 225.578.3737
>>>  Fax: 225.578.6400
>>>   
>>>   
>>> 
>>> 
> 
> -- 
> Andrew Feller, Analyst
> LSU University Information Services
> 200 Frey Computing Services Center
> Baton Rouge, LA 70803
> Office: 225.578.3737
> Fax: 225.578.6400

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090115/f5ec3dfa/attachment.html

More information about the cas mailing list