We're integrating Google Apps with our CAS SSO, and we're also using uPortal. I'm trying to arrive at the right combination of availability and security, and would appreciate any thoughts.
Currently, a user logged in to our portal can browse to mail.google.com and be authenticated with their existing CAS ticket. That's fine. A user who is not logged in to the portal can browse to mail.google.com, be redirected to our CAS login, then redirected back to Google. The security problem is that then, given our SSO environment, they are also authenticated at the portal and will remain so until they close the browser, even though they never "visited" the portal. Other scenarios to get around the problem that I can imagine but am not sure how to implement: 1) The user only gets SSO authentication at Google if they already expressly logged in to the portal. Otherwise they must authenticate at Google, or perhaps be directed to the portal log in (log in to the portal, not just do CAS authentication). 2) If the user has not already expressly logged in to the portal, when they browse to mail.google.com, they go through CAS authentication but get a ticket that can only be used for Google -- i.e., they are not simultaneously authenticated in the portal. I'd appreciate hearing from others on this. Best practices? Did you go with a different arrangement? Am I overlooking some basic CAS setup that would solve the problem? I am new to both uPortal and CAS, so any level of advice here would be helpful. Thanks, Ed -- Ed Hillis, Web Programmer Southwestern University 1001 East University Avenue, Georgetown, TX 78626 512.863.1066 hill...@southwestern.edu -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user