Help: Web Service Authentication

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Help: Web Service Authentication

Roberto Klein
Hello guys,

I started using CAS some time ago and it really fit all my requirements
for an SSO Server.

Untill now.

My application started to be requested by other applications, and the
communication between application is done with web services.
I've read all I could about the Proxy Authentication method, but I don't
think it fits my need.
In the example that the documentation uses, there is a portal, where the
user log in, then the portal must access other applications, such as email.
The problem here is that on this example the portal have the ticket of
the first login from the user, so it can request a new pgt ticket every
time he needs to integrate with another application.
In my case, there isn't some one to log in. The log in must be done by a
web service, witch don't have a browser, witch can't type in the
username or password.
I tried digging out a first pgt, but the pgt expires after some time and
I can't got a valid ticket anymore.

Does anyone know how I should do it?

Thank you.

Roberto Klein.

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-discuss
Reply | Threaded
Open this post in threaded view
|

Using CAS to authenticate non-human principals

Andrew Petro
Roberto,

This sounds like a discussion about CAS rather than about Jasig
generally.  It might be a better fit for the cas-user list.

http://www.jasig.org/cas/mailing-lists

There's no reason that the Principals in your use of it can't be
entities other than end users.  That is, these other applications that
are making requests of your applications could be modeled as Principals
that are themselves able to authenticate.

You are correct that Proxy CAS doesn't fit your need, in that you're not
talking about a portal or other application needing to authenticate to
your application on behalf of some logged in user.  Rather you seem to
be talking about an approach wherein these other applications are
authenticating to your application "as themselves", that is, that they
are the Principals.

CAS is primarily about user-facing single sign on for the Web, and so
the default way of authenticating Principals is via a user experience
that works pretty well for humans and, as you say, isn't pleasant for
programs.  Programs don't want to be filling out login forms.  
Fortunately, there's no reason that you have to use login forms to
authenticate these applications.  You could instead use x509
certificates, for instance, and CAS even has good support for this.

CAS also itself has RESTful APIs such that once you've modeled Web
applications as Principals and decided on some way for them to
authenticate (passwords? x509 certificates?  SAML assertions?) they can
programmatically get tickets via RESTful Web Services rather than having
to parse them out of cookies or UI markup.

Best wishes,

Andrew

PS: This answer is also available as a KBA, which I mention because
there are some useful hyperlinks: http://www.unicon.net/node/1384




Roberto Klein wrote:

> Hello guys,
>
> I started using CAS some time ago and it really fit all my
> requirements for an SSO Server.
>
> Untill now.
>
> My application started to be requested by other applications, and the
> communication between application is done with web services.
> I've read all I could about the Proxy Authentication method, but I
> don't think it fits my need.
> In the example that the documentation uses, there is a portal, where
> the user log in, then the portal must access other applications, such
> as email.
> The problem here is that on this example the portal have the ticket of
> the first login from the user, so it can request a new pgt ticket
> every time he needs to integrate with another application.
> In my case, there isn't some one to log in. The log in must be done by
> a web service, witch don't have a browser, witch can't type in the
> username or password.
> I tried digging out a first pgt, but the pgt expires after some time
> and I can't got a valid ticket anymore.
>
> Does anyone know how I should do it?
>
> Thank you.
>
> Roberto Klein.
>


--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-discuss