Most of our clients support standard APIs (i.e. the Java Client, .NET, and mod_auth_cas). I'd recommend you use the standard APIs as your abstraction layer and not a platform. We don't support a layer like you're suggesting between the clients and the CAS sever, nor do we encourage something else submitting credentials on behalf of the user.
You're not buying much by doing what you're doing since I don't know if you could make the platform APIs generic enough to support all the protocols you'd want to support (and you would need to balance the change you'd actually change auth methods against the effort required to implement this platform). Cheers, Scott On Tue, Apr 5, 2011 at 10:51 AM, Eric Turley <[email protected]>wrote: > An ASCII diagram won’t suffice here. Attaching picture. > > > > Note that our current architecture includes a “Platform” server. The > intention (for good or ill) is that everything talks to it, and CAS is > hidden (presumably so we can change our auth strategy without affecting > clients). > > Does this diagram represent a viable strategy? > > > > Thanks. > > > > > > *From:* Scott Battaglia [mailto:[email protected]] > *Sent:* Monday, April 04, 2011 3:58 PM > > *To:* [email protected] > *Cc:* Eric Turley; Debbie Rinkevich > *Subject:* Re: [cas-user] SSO and CAS ReST API setup > *Importance:* High > > > > You shouldn't need to. Its part of the normal request/response protocol > for validation which is programmatic already. > > > > Cheers, > > Scott > > > > On Mon, Apr 4, 2011 at 4:01 PM, Eric Turley <[email protected]> > wrote: > > OK. I’ve read up on CAS proxying. > > I see how that would normally work, but I don’t see anything about proxying > included in the CAS REST > API<https://wiki.jasig.org/display/CASUM/RESTful+API>doc. > > Is it possible to get PGTs, PGTIOUs, and PTs with REST calls? > > > > > > *From:* Scott Battaglia [mailto:[email protected]] > *Sent:* Tuesday, March 29, 2011 11:40 AM > > > *To:* [email protected] > > *Cc:* Eric Turley; Debbie Rinkevich > > > *Subject:* Re: [cas-user] SSO and CAS ReST API setup > *Importance:* High > > > > Essentially you're not allowed to share TGTs. We can try and guide you a > bit more with some more details. > > > > I.e. traditionally, webapp would CAS authenticate, and get a PGT. It would > then generate a PT for Client 1. Client 1 would receive a PT from webapp > > > > Cheers, > > Scott > > > > On Tue, Mar 29, 2011 at 12:17 PM, Eric Turley < > [email protected]> wrote: > > I’ve seen the proxy documentation on the wiki and cas homepage, but haven’t > read it (was hoping I wouldn’t need to). > > So unless there are documents OTHER than those, I’ll just dig in and get > back to you if necessary. > > > > *From:* Scott Battaglia [mailto:[email protected]] > *Sent:* Tuesday, March 29, 2011 11:10 AM > > > *To:* [email protected] > *Subject:* Re: [cas-user] SSO and CAS ReST API setup > *Importance:* High > > > > If you want a web application to access other services on behalf of the > user then you should be using CAS's proxy authentication methods. > > > > Are you familiar with those at all? > > > > If not, I can find the appropriate documents. > > > > Cheers, > > Scott > > > > On Tue, Mar 29, 2011 at 12:05 PM, Eric Turley < > [email protected]> wrote: > > Sorry, I’m not understanding clearly what you’re saying. (Or, possibly, I’m > not properly explaining what I’m trying to say) > > > > More concretely, the two Clients in my “diagram” are both using ReST calls > to the Webapp. So neither is actually a browser. I’m not sure if that was a > misunderstanding. Does that change anything? > > > > And, tho you don’t support it, can the Webapp get the TGT and pass it > around to Clients to be re-used for authentication without the user having > to provide credentials again? (Or do you mean to say, “We don’t support > this; you’re on your own”? Which is perfectly valid, just asking.) > > > > > > *From:* Scott Battaglia [mailto:[email protected]] > *Sent:* Monday, March 28, 2011 8:46 PM > *To:* [email protected] > *Subject:* Re: [cas-user] SSO and CAS ReST API setup > *Importance:* High > > > > The CAS Restful API does not support User-Agent (i.e. browser) single sign > on. We do not support another application passing credentials to the CAS > server. > > > > On Mon, Mar 28, 2011 at 10:50 AM, Eric Turley < > [email protected]> wrote: > > I want to use the CAS ReST API in a way that supports SSO. > The setup we have is not ideal, but I want to try to support it as is for > the moment. > Our scenario is as follows: > 1. Client1 makes an authz call (including username/password credentials) to > Webapp, which makes an auth ReST call to CAS ( > http://localhost:9010/cas/v1/tickets), acquiring the TGT. > 2. I'd like Client1 to pass the TGT to Client2 so it can ... > 3. Client2 makes ReST calls to the WebApp (for whatever it needs), passing > the TGT. Internally, Webapp will use that to authenticate Client2 with CAS. > > +---+ > |CAS| > +---+------+------+ > |WebApp| > '------+ > 1 Auth/ \3 Auth > / \w/TGT > / -> \ > +-------+ 2 Pass TGT +-------+ > |Client1|------------|Client2| > +-------+ +-------+ > > I'm really pretty confused about CAS, so likely, I'm going about this all > wrong. Please advise. :) > (Tho, I'm limited by the public API in use by the WebApp clients.) > > > > Eric Turley | Sr. Platform Engineer | UTV Ignition Games > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > > > You are currently subscribed to [email protected] as: > [email protected] > > > > > > > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > > > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > > You are currently subscribed to [email protected] as: > [email protected] > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
