The TGT is your method of accessing services without having to provide your authentication information. Its essentially a shared secret between you and the CAS server (which is why its a session-cookie scoped to the CAS domain and path).
Cheers, Scott On Wed, Apr 6, 2011 at 10:28 AM, Eric Turley <[email protected]>wrote: > Going back to something you said before: “Essentially you're not allowed > to share TGTs.” > > But isn’t the TGC just a key:value pair where the value is equal to the TGT > string? > > If so, that’s sent all the way out to a user’s browser. So why not share > it? > > > > We’re not actually trying to do SSO – we’re doing something different, as > you can see in the attached picture. > > If we can share the TGT between the two clients, we can simplify our task – > and probably leverage the CAS Java client webapp filters too. > > > > *From:* Scott Battaglia [mailto:[email protected]] > *Sent:* Tuesday, March 29, 2011 11:40 AM > > *To:* [email protected] > *Cc:* Eric Turley; Debbie Rinkevich > *Subject:* Re: [cas-user] SSO and CAS ReST API setup > *Importance:* High > > > > Essentially you're not allowed to share TGTs. We can try and guide you a > bit more with some more details. > > > > I.e. traditionally, webapp would CAS authenticate, and get a PGT. It would > then generate a PT for Client 1. Client 1 would receive a PT from webapp > > > > Cheers, > > Scott > > > > On Tue, Mar 29, 2011 at 12:17 PM, Eric Turley < > [email protected]> wrote: > > I’ve seen the proxy documentation on the wiki and cas homepage, but haven’t > read it (was hoping I wouldn’t need to). > > So unless there are documents OTHER than those, I’ll just dig in and get > back to you if necessary. > > > > *From:* Scott Battaglia [mailto:[email protected]] > *Sent:* Tuesday, March 29, 2011 11:10 AM > > > *To:* [email protected] > *Subject:* Re: [cas-user] SSO and CAS ReST API setup > *Importance:* High > > > > If you want a web application to access other services on behalf of the > user then you should be using CAS's proxy authentication methods. > > > > Are you familiar with those at all? > > > > If not, I can find the appropriate documents. > > > > Cheers, > > Scott > > > > On Tue, Mar 29, 2011 at 12:05 PM, Eric Turley < > [email protected]> wrote: > > Sorry, I’m not understanding clearly what you’re saying. (Or, possibly, I’m > not properly explaining what I’m trying to say) > > > > More concretely, the two Clients in my “diagram” are both using ReST calls > to the Webapp. So neither is actually a browser. I’m not sure if that was a > misunderstanding. Does that change anything? > > > > And, tho you don’t support it, can the Webapp get the TGT and pass it > around to Clients to be re-used for authentication without the user having > to provide credentials again? (Or do you mean to say, “We don’t support > this; you’re on your own”? Which is perfectly valid, just asking.) > > > > > > *From:* Scott Battaglia [mailto:[email protected]] > *Sent:* Monday, March 28, 2011 8:46 PM > *To:* [email protected] > *Subject:* Re: [cas-user] SSO and CAS ReST API setup > *Importance:* High > > > > The CAS Restful API does not support User-Agent (i.e. browser) single sign > on. We do not support another application passing credentials to the CAS > server. > > > > On Mon, Mar 28, 2011 at 10:50 AM, Eric Turley < > [email protected]> wrote: > > I want to use the CAS ReST API in a way that supports SSO. > The setup we have is not ideal, but I want to try to support it as is for > the moment. > Our scenario is as follows: > 1. Client1 makes an authz call (including username/password credentials) to > Webapp, which makes an auth ReST call to CAS ( > http://localhost:9010/cas/v1/tickets), acquiring the TGT. > 2. I'd like Client1 to pass the TGT to Client2 so it can ... > 3. Client2 makes ReST calls to the WebApp (for whatever it needs), passing > the TGT. Internally, Webapp will use that to authenticate Client2 with CAS. > > +---+ > |CAS| > +---+------+------+ > |WebApp| > '------+ > 1 Auth/ \3 Auth > / \w/TGT > / -> \ > +-------+ 2 Pass TGT +-------+ > |Client1|------------|Client2| > +-------+ +-------+ > > I'm really pretty confused about CAS, so likely, I'm going about this all > wrong. Please advise. :) > (Tho, I'm limited by the public API in use by the WebApp clients.) > > > > Eric Turley | Sr. Platform Engineer | UTV Ignition Games > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > > > You are currently subscribed to [email protected] as: > [email protected] > > > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
