Hi Rickard, Could you explain what requirements/limitations of your context leads to locate the CAS Server A in the internal netword instead of the DMZ? About deploying a ticket manager service in the DMZ, with ticket replication between A and C, this could be done using a distributed ticket registry (next release).
Best Regards. Concerning your On 11/11/06, Rickard Oberg <[EMAIL PROTECTED]> wrote: > Hi! > > We are considering using CAS as our main authentication strategy, but > I'm not sure it is able to handle our network topology. > > Basically, we have two webservers, one of which (A) is handling CAS > login and one of which (B) hosts a service that we want users to be able > to log on to. Users connect from an internal network, and the CAS login > server A is also located on this network, and can use the internal LDAP > directory for authentication requests. However, the second webserver B > providing the actual service is located on a DMZ which has no access to > the internal network. > > Scenario: > * Client uses browser to access B > * Client is not logged in and is redirected to A > * Client logs in. A verifies credentials with internal LDAP directory > * Client is redirected back to B > * B needs to validate ticket with A > > And in this last step comes the problem: since B is on the DMZ with no > access to the internal network where A resides, is this scenario > possible? It would seem that B needs to have a way to validate the > ticket without contacting A for this to work. It seems to me that one > would have to add a third server C, a ticket manager, for this to work. > C would be located on the DMZ so that both A and B can access it. After > authentication on A it would send the ticket to C, and when the user is > redirected to B it will validate the ticket against C instead of A. > > Any ideas? Has anyone come across this before? Is it fixable at all?? > > /Rickard > _______________________________________________ > Yale CAS mailing list > cas@tp.its.yale.edu > http://tp.its.yale.edu/mailman/listinfo/cas > -- Best regards. Marc-Antoine Garrigue _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas
