« Return to Thread: fixing Gateway mode in mod_auth_cas
Re: fixing Gateway mode in mod_auth_cas
by Earl Fogel
::
Rate this Message:
On Tue, 6 May 2008, Matt Smith wrote:
> Does the cookie tell the app *which* CAS server to contact, or, does it
> simply flag *whether* the config-specified CAS server already deemed
> this session "gateway'd"?
It's the latter. The name of the CAS server is already in the CASLoginURL
parameter to mod_auth_cas. The contents of the "NecessaryCookie" don't
matter. If the cookie is present then the user *may* have a CAS session.
If the cookie is not present, then the user *can't* have a CAS session.
The code that I gave you only deals with gateway authentication to a
single CAS server. We use this to set up a trust relationship between
our central JA-SIG CAS server and our Luminis Portal.
There is a more complicated problem that our Computer Science department
wants to solve, where CAS applications trust multiple CAS servers.
To do this, we'd make each server set a different cookie. The client would
then check to see if any of these cookies is present, and redirect to the
appropriate CAS server. With this approach, the client needs to know the
names of all the cookies that might be used, and which CAS server to use
for each. They're not planning to do this with mod_auth_cas though, so
I don't think we need to worry about it.
Earl
Thanks for the details Earl. One more question:
> CAS applications can check this cookie to see which server(s) they
> need to contact to determine if the user has an existing CAS session.
Does the cookie tell the app *which* CAS server to contact, or, does it
simply flag *whether* the config-specified CAS server already deemed
this session "gateway'd"?
-Matt
--
Matthew J. Smith
University of Connecticut ITS
matt.smith@...
PGP KeyID: 0xE9C5244E
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
> Does the cookie tell the app *which* CAS server to contact, or, does it
> simply flag *whether* the config-specified CAS server already deemed
> this session "gateway'd"?
It's the latter. The name of the CAS server is already in the CASLoginURL
parameter to mod_auth_cas. The contents of the "NecessaryCookie" don't
matter. If the cookie is present then the user *may* have a CAS session.
If the cookie is not present, then the user *can't* have a CAS session.
The code that I gave you only deals with gateway authentication to a
single CAS server. We use this to set up a trust relationship between
our central JA-SIG CAS server and our Luminis Portal.
There is a more complicated problem that our Computer Science department
wants to solve, where CAS applications trust multiple CAS servers.
To do this, we'd make each server set a different cookie. The client would
then check to see if any of these cookies is present, and redirect to the
appropriate CAS server. With this approach, the client needs to know the
names of all the cookies that might be used, and which CAS server to use
for each. They're not planning to do this with mod_auth_cas though, so
I don't think we need to worry about it.
Earl
Thanks for the details Earl. One more question:
> CAS applications can check this cookie to see which server(s) they
> need to contact to determine if the user has an existing CAS session.
Does the cookie tell the app *which* CAS server to contact, or, does it
simply flag *whether* the config-specified CAS server already deemed
this session "gateway'd"?
-Matt
--
Matthew J. Smith
University of Connecticut ITS
matt.smith@...
PGP KeyID: 0xE9C5244E
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
signature.asc (196 bytes) « Return to Thread: fixing Gateway mode in mod_auth_cas
| Free Forum Powered by Nabble | Forum Help |