Announcement Announcement Module
No announcement yet.
SSO and CAS for disconnected systems Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSO and CAS for disconnected systems


    Here's the scenario.
    We have a main system A, and a subsystem B. Users usually log on to subsystem B to do their work, and sometimes using services from system A.

    Both A and B can authenticate users using the same user/pass pair. However, since users had been logged in to B, it is a good idea that they don't need to login to system A again when they need to access system A.

    Another problem is, subsystem B and its users lies behind a firewall/NAT that system A cannot access subsystem B directly. They can only establish outgoing connections using HTTP.

    Yes, I know CAS can facilitate SSO across web applications; also CAS has can proxy users' credentials. However, I still don't know how should I configure the authentication mechanisms for systems A and B using Acegi and CAS, so that after users logged in to subsystem B, they can transparently access services from system A, for the situation above.

    Hope I made myself clear. Can anybody shed me some light on this?

    Thanks in advance..

  • #2
    Will system B be using System A on the users behalf? If not, you don't need proxy authentication.

    What you need to do is configure both applications to use Acegi & CAS (there are documents on this in the Acegi web site). Once you have done this, when you go to the first application and authenticate it creates a TicketGrantingTicket for you which along with a TGT cookie enables single sign on in the web tier. From that point on, as long as your TGT is valid and you have not told system A or B to force re-authentication, they can both enjoy single sign on. They will not be presented with another log on screen.


    • #3
      Thanks for the reply. However, would like to ask one more question, just for clarification...

      Following what you said, when I set sendRenew to false to ServiceProperties of CAS, when users attempt to access an resource from system A, given that the user have logged in to system B in advance, users can immediately access the resources from system A, without login again? Or I have to make an URL which appends the user's ticket which is stored on the client's cookie and send it to system A?

      Thanks again.


      • #4
        What will happen is this (this is just a sample):

        1. You go to System A.
        2. Acegi redirects you to CAS
        3. You authenticate with CAS (TicketGrantingTicket cookie, etc.)
        4. CAS redirects you to System A with ServiceTicket
        5. Service A validates service ticket and you are let into A
        6. You decide to access System B
        7. You go to System B
        8. System B says hey I don't know who this is and redirects to CAS
        9. Without a renew=true, CAS already knows who you are and redirects you back to the app with a ServiceTicket. You do not need to reauthenticate.

        Most of this flow will be handled automatically by Acegi and CAS.

        I hope that explains it better