Eric, Maybe I am just not getting the whole picture. Are you not able to configure the document storage system to accept proxy tickets? If you can, CAS-proxy would be transparent to the user:
1) User browses to web app. 2) Redirected to CAS login. 3) Auth & redirect to web app with ST. 4) Web app validates ST, obtains PGT. 5) Web app requests PT from CAS. 6) Web app uses PT to request documents from the document storage service. 7) Document storage system validates PT with CAS and returns document info. Steps 4-7 all happen on the server side, so the user doesn't see any of it. In your impersonation setup, I am assuming you need to perform some kind of access control right at the CAS server to determine which authorized accounts can actually use which documents (unless it is basically open to anyone who can authenticate). Is that correct? Thanks, Carl ----- Original Message ----- From: "Eric Lauffenburger" <[email protected]> To: [email protected] Sent: Wednesday, May 14, 2014 7:38:24 PM Subject: Re:[cas-dev] CAS Impersonation Hey Carl, Users can definitely access the system with their accounts, this is intended to happen from behind-the-scenes, meaning that it's something the user should never see (imagine an async call like something from $.ajax(...) or what have you). Again, this is so that the service can contact the API without a user ever seeing it happen or being redirected through hoops. Best, Eric -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
