CAS Authentication without going to CAS Server?

Jean-Noël Colin jnc at info.fundp.ac.be
Thu Jan 15 10:12:18 EST 2009 

Andrew

W2 and W3 are CAS-enabled, so they are able to handle CAS  
authentication.
What we need to achieve is that users log in to W1 as they do know,  
without CAS, but then, behind the scenes, W1 would get 'something'  
from CAS server that would then allow user to navigate to W2 or W3,  
without the need for re-authenticating

Jean-Noel

On 15 Jan 2009, at 16:09, Andrew Feller wrote:

> Jean-Noel,
>
> Stupid question: W2 and W3 know nothing about CAS, correct?
>
> A-
>
> On 1/15/09 8:52 AM, "Jean-Noël Colin" <jnc at info.fundp.ac.be> wrote:
>
>> Andrew
>>
>> Thanks for your answer... I had a look a the RESTful API, and if I  
>> understand correctly, I'm 'simply' passing the user credentials  
>> from W1 to CAS server, and after successful validation of the  
>> credentials by the CAS server, a ticket is returned that can then  
>> be used by W1 to be passed to W2. Is this correct?
>>
>> In our case, users already log into W1 and W1 is already designed  
>> to check the credentials. Wouldn't there be a way for W1 to tell  
>> CAS server: "hey, the user has already logged in, could you please  
>> give me a ticket', and CAS server, because it trusts W1, would  
>> provide the ticket without requiring user credentials (at least  
>> pwd) to be passed?
>>
>> THanks for your help
>>
>> Jean-Noel
>>
>>
>> On 15 Jan 2009, at 14:22, Andrew Feller wrote:
>>
>>> Jean-Noel,
>>>
>>>  It definitely seems possible if you design W1 to use the CAS  
>>> 3.3.X RESTful API and you are okay with W1 having access to users’  
>>> credentials (username and password for example), then you can have  
>>> W1 issue the CAS cookie (CASTGC) and the users will never know  
>>> about it.  If you go with this approach, there are several things  
>>> you need to consider:
>>>
>>>
>>> W1 and CAS server(s) need to be within a subdomain only they have  
>>> access to to prevent other servers from accessing the CAS cookie
>>> CAS server(s) with RESTful API should only allow W1 to issues API  
>>> calls
>>>
>>>
>>>  In the typical ideal situation, you would never have any  
>>> application with access to the cookies that CAS generates because  
>>> someone could access this via malicious code and hijack their  
>>> session.  If your business owners understand the security risk,  
>>> then this is what I would probably do.
>>>
>>>  HTH,
>>>  A-
>>>
>>>
>>>  On 1/15/09 2:15 AM, "Jean-Noël Colin" <jnc at info.fundp.ac.be> wrote:
>>>
>>>
>>>> Hello
>>>>
>>>>  I was wondering if there was a way to support the setup  
>>>> described below with CAS.
>>>>
>>>>  We have one main website (let's call it W1), through which users  
>>>> authenticates, using a custom DB (no ldap...). We would like to  
>>>> add associated websites (W2, W3), so that when users are logged  
>>>> in in W1, they can SSO to W2 or W3.
>>>>
>>>>  The issue is that owners of W1 don't want to have a transfer to  
>>>> CAS server to authenticate, that would be visible to end-users.
>>>>
>>>>  My question would then be: is there a possibility in CAS to  
>>>> request a ticket without having users directly authenticate to  
>>>> CAS server. What would need to be achieved is:
>>>>
>>>> user logs into W1 (with no redirect to CAS, only W1)
>>>> W1 requests a ticket from CAS server
>>>> this ticket is then used to access W2 or W3 from W1
>>>>
>>>>
>>>>  Is this feasible?
>>>>
>>>>  Personally, I would prefer that we design the authentication  
>>>> centrally in CAS, have W1 users authenticate in CAS server, but  
>>>> ok, business owners are business owners...
>>>>
>>>>  Thanks for your help
>>>>
>>>>  Jean-Noel Colin
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>>  Yale CAS mailing list
>>>>  cas at tp.its.yale.edu
>>>>  http://tp.its.yale.edu/mailman/listinfo/cas
>>>>
>>>>
>>>>  --
>>>>  Andrew Feller, Analyst
>>>>  LSU University Information Services
>>>>  200 Frey Computing Services Center
>>>>  Baton Rouge, LA 70803
>>>>  Office: 225.578.3737
>>>>  Fax: 225.578.6400
>>>>
>>>>
>>>
>>>
>
> -- 
> Andrew Feller, Analyst
> LSU University Information Services
> 200 Frey Computing Services Center
> Baton Rouge, LA 70803
> Office: 225.578.3737
> Fax: 225.578.6400

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090115/6d01e635/attachment.html

More information about the cas mailing list