I really appreciate your help here! Okay, first questions about the gateway concept.
Our users will do the /login and get authenticated, then they're sent to a landing page that contains all the links that are available and supported for SSO. What would the link for my application need to look like before they click on it within the landing page? Is the ticket already attached to my URL at this time? If it is, I think that I'd call /serviceValidate with the ticket and the service address (basically just heading back to me again), and if successful the return from this is a 'YES' and 'UserName'? From here, I can do what I need now that I know who I'm dealing with. The next thing to deal with would be handling the passive redirecting from WIF, but that's for another day. Am I even close with what I described above? Thanks! On Tue, Mar 4, 2014 at 5:12 PM, Max Bowsher <[email protected]> wrote: > It sounds to me like you want to redirect your user to: > > https://your-cas-server/login?gateway=true&service=... > > Where the value of ... above is the URL-encoding of: > > https://your-other-thing/return-from-cas-handler > > > CAS will redirect the user back to the /return-from-cas-handler page - > either as is, if not logged in to CAS, or with the addition of a query > parameter ?ticket=ST-.... if they are logged in to CAS. > > Then you send the ticket so obtained to /serviceValidate to retrieve the > information about it (along with the same value for service as you > passed to CAS /login). > > Max. > > > > On 03/03/14 17:41, Richie wrote: > > Thanks so much for the clarification. > > > > Ok, so I have an idea how CAS works, but now the trick is somehow > > incorporating CAS SSO and my existing STS in my project. From what > > you're telling me, everything for CAS is done within the CAS server, and > > I can't retrieve 'stuff' from within my browser. > > > > Because I'm not using CAS to login and create the service ticket, could > > I try to initially use the /VALIDATE (or /serviceValidate) url to see if > > one already exists? My thought is that if that doesn't work (no SSO > > cookie) then go through my normal STS authentication process. I'm > > really not that familiar with the things that are happening under the > > covers, so I don't know if this integration would be possible or not. > > > > Reading the CAS Protocol page, http://www.jasig.org/cas/protocol, I see > > that there are required parameters for /Validate, but if I'm redirecting > > to this url where would 'service' and 'ticket' come from? Can they be > > extracted from the browser cookie if the user has previously logged in? > > > > I see that if all of the above is possible, I would get an XML > > response. From this I'd extract what I need. I'm not sure how I'd go > > about this yet, but if I have the info I know that I can get it somehow. > > > > Any thoughts or suggestions? Thanks! > > > > > > On Thu, Feb 27, 2014 at 2:39 PM, Clemens Stich > > <[email protected] <mailto:[email protected]>> > wrote: > > > > Hi Richie, > > > > Here a first quick reply: > > You cannot grab the CAS cookie in your application as CAS itself > > issues this cookie with restriction to only the CAS server URL, > > meaning that the cookie is not sent to your application. > > Your CAS client authentication APIs make calls to the CAS server and > > therefore this cookie is automatically sent to the CAS server as > > here the cookie comain matches. > > This behvaiour makes perfectly sense as it makes the CAS SSO secure. > > Otherwise other applications / persons could grab this cookie and > > exploit it. > > > > > > > > 2014-02-27 17:49 GMT+01:00 Richie <[email protected] > > <mailto:[email protected]>>: > > > > I'm hoping that someone will be able to point me in the correct > > direction. > > > > I have an existing project that uses .NET CAS (C#, framework 4), > > and everything works great with SSO for these other > > applications. I didn't have anything to do with the original > > building of this site, and those sites that use SSO. To make > > matters worse there doesn't seem to be anyone to talk with to > > find out how they're making this work, so I'm hoping the > > community can. > > > > My issue is that I'm trying to incorporate an existing Secure > > Token Server to read the CAS cookie/token/ticket (not sure what > > it's called) to determine the logged in user's name. That's > > it. I just need to know how to grab the CAS cookie using C# > > .NET, and decrypt it to get a username. Sounds easy enough, > right? > > > > Here's what I've tried: When I authenticate with the CAS > > application on one browser tab, then open another and run my STS > > authenticated application. In code I try to grab all cookies in > > the browser, but I can't seem to locate the CAS cookie. Can > > someone provide a code example for how this would be done, or > > walk me through a high level explanation? > > > > Thanks for your time! > > > > -- > > You are currently subscribed to [email protected] <mailto: > [email protected]> as: [email protected] <mailto: > [email protected]> > > > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > > > > -- > > You are currently subscribed to [email protected] <mailto: > [email protected]> as: [email protected] <mailto: > [email protected]> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > > > > -- > > You are currently subscribed to [email protected] <mailto: > [email protected]> as: [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
