After posting this, I did find that including the PGTurl parameter did cause CAS to include the encrypted PGT in the validation response. I don't believe that the PGTurl must actually be accessible by the CAS server, though. In my case, there is ability for that happen and I was able to make the encrypted exchange work.
It seems that the only way to trigger the proxy behavior is to include the PGTurl param, regardless of wether it can actually be used or not. I did not investigate if CAS attempts to connect first and then only includes the PGT in the response if it that fails. So the feature does work, but how to elicit the desired behavior is not obvious. Thanks, -dirk On Fri, Aug 31, 2018 at 10:38 AM Sean Carr <[email protected]> wrote: > I think you still need to have a valid PGT Callback URL which is a bit > strange as you don't need to use it to retrieve the PGT. > > I got it working as follows: > curl -X GET -k " > https://cas-server:8443/cas/p3/serviceValidate?ticket=ST-*******&service=https://*****&pgtUrl=https://*****:4443 > > If the CAS Server is able to communicate to the pgtUrl, it will send the > PGT and PGTIOU to this URL as normal, but it will also return the PGT in > the XML response to the above request. > > Sean > > > On Monday, August 6, 2018 at 5:57:52 PM UTC+1, Dirk Tepe wrote: >> >> I am interested in developing a proof-of-concept based on the "PGT in >> Validation Response" feature documented here: >> >> >> https://apereo.github.io/cas/5.3.x/installation/Configuring-Proxy-Authentication.html#pgt-in-validation-response >> >> We are running CAS 5.3.2 and have successfully used public/private keys >> in services for ClearPass, so we believe we understand the expected >> operation. >> >> I have successfully had a release of the PGTiou to a service using the >> traditional PGTurl feature, so I believe the basic proxy authorization is >> also functional for the service. >> >> I am trying to address a situation "such that invoking a callback url to >> receive the proxy granting ticket is not feasible, CAS may be configured to >> return the proxy-granting ticket id directly in the validation response". I >> am unclear how to trigger the release of the proxyGrantingTicketId in the >> validation response, though. The documentation only describes the need to >> set up the public key and ensure authorizedToReleaseProxyGrantingTicket is >> true for the service. There is no mention of how to elicit the release in >> the validation response rather than expecting the PGTurl. >> >> I had hoped the presence of authorizedToReleaseProxyGrantingTicket would >> trigger that behavior, but that does not appear to be the case. I have been >> unable to find any solution after hours of searching and testing. >> >> Any suggestions or clarification of the expected behavior would be >> welcome. >> >> Dirk Tepe >> Miami University >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae837ca9-6f0e-4bdc-93fa-369ca6882df2%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae837ca9-6f0e-4bdc-93fa-369ca6882df2%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZy63xeX%3D80-XEaOFFXi%2BwLgMn0-mMGbvyW%2BkLPw8BypKA%40mail.gmail.com.
