Chris, It is true, you don't need to use a Service Manager, but that means that *any* service can use your CAS. This might not be what you want-- a rouge service provider could leverage your CAS in order to fool your users into thinking it is trustworthy service. Once authenticated, it may ask for sensitive information. So while the rouge service can't get user's password, it could potentially trick them into revealling other PII.
CAS needs to run as an HTTPS site-- the TGT is stored in a secure cookie. Services don't *have* to be HTTPS unless they want to leverage PGTs, but in practice it makes sense to secure services in many cases. Thanks, Carl Waldbieser ITS System Programmer Lafayette College ----- Original Message ----- From: "Chris Adams" <chris.a.ad...@state.or.us> To: cas-user@lists.jasig.org Sent: Tuesday, January 27, 2015 12:53:15 PM Subject: [cas-user] question about Service Management Hello all, I was just looking in to building the Service Management module, as I assumed it was required. I am utilizing CAS for SSO for a handful of services. From the CAS documentation, it says: "It is not required to use the service management facility explicitly. CAS ships with a default configuration that is suitable for deployments that do not need or want to leverage the capabilities above. The default configuration allows any service contacting CAS over https/imaps to use CAS and receive any attribute configured by an IPersonAttributeDao bean." Does that mean that I don't have to register these services if I don't need to manage them with this interface? Can I just append the URL of the service to the CAS server login string and be done with it ? Also, somewhere in the docs, it said that any serviced also had to utilize SSL. Can someone verify that ? Many thanks, Christopher Adams -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
