Hi Tung, I think you found a typo (probably from copy and pasting from the 1st access, 1st application chunk. CAS returned ST-345678 in a redirect header. The browser should have GET https://app2.example.com/?ticket=ST-345678 and the client application should have GET https://cas.example.com/serviceValidate?service=https://app2.example.com&ticket=ST-345678 (I didn't encode the URL like it should be.)
CAS Server should not issue the same ST twice. In the default settings ST expire in 10 sec. It is possible to set CAS up to allow the re-use of an ST, but this is usually for client web apps that can't maintain state themselves and needs to re-validate the user at each web request. --- *John Gasper* IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 12/1/14 2:33 AM, wingtung.leung wrote: > Hi David, > > I accidentally hit your nice UML diagram when I was looking around for a > graphical flow explaining me how CAS basically works, and it found in on the > URL below: > > http://jasig.github.io/cas/4.0.0/protocol/CAS-Protocol.html > > I was especially interested in the part of authentication for the second > application (thinking whether we could "reuse" a ST ticket or not). > > Your diagram describes this part under the section "First Access To Second > Application", where CAS returns ST ticket "ST-345678" (different from ticket > for first application) to the browser. Strangely enough, the flow then > continues with "ST-12345678", which is exactly the same ticket as the one > for the first application. > > I am not the CAS expert at all (!), but I found an online post referring to > the CAS specification that ST tickets should NEVER be reused, so this, > combined with your diagram confuses me. > > https://github.com/Jasig/phpCAS/issues/144 > https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md > > Is it normal that the browser suddenly switches from the ST-2345678 ticket > to ST-12345678? > > Many thanks for any feedback! > > Tung > > > > -- > View this message in context: > http://jasig.275507.n4.nabble.com/Documenting-the-CAS-protocol-using-sequence-diagrams-is-this-useful-tp4660522p4664492.html > Sent from the CAS Developers mailing list archive at Nabble.com. > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
