Dom, No. Service B cannot determine the identity of the end user without acquiring and validating a Service Ticket.
This is a feature. There's a checkbox on the CAS login UI allowing end users to choose "warn me before logging me in to other services" that will introduce an interstitial confirmation page to what would otherwise be a transparent, no-additional-credential-entry-required, authentication. Requiring interaction with CAS, rather than, say, exposing an advisory user identity representing cookie, or exposing a cookie that authenticates the user to future services without additional interaction with CAS (e.g. a cryptographically signed identity assertion) would introduce the problem of user identity being revealed to subsequently visited applications without the user having had a chance to opt out of this behavior. Among other problems. Andrew dom wrote: > Thanks for your reply, Scott. > > If I've gotten this correct. (with renew = false) > > 1. Client successfully logs into Service A. > 2. Ticket Granting Ticket is created, added to Ticket Registry. > 3. Client moved to Service B. > 4. Service B redirects to CAS, sending Ticket Granting Cookie. > 5. CAS checks Ticket Registry for Ticket Granting Ticket. > 6. If Ticket is found and has not expired. > creates a new Service Ticket for Service B. > 7. CAS redirects client to Service B without asking for credentials. > > If this is correct > can Service B determine the user name without asking the client for it? > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
