Ray sincerely thank you very much. Please allow me some time, which I will model well the process I explain in more detail and I explain it to you, to see if you can guide me, and indeed "What happens if a user logs in to an application in a different domain and then goes to your service, will they have to log in again? " It is one of the problems we have to solve.
I relive the subject tomorrow by modeling the entire process further El lunes, 16 de diciembre de 2019, 16:55:54 (UTC-3), rbon escribió: > > If I understand correctly, CAS is external to your organization but > associated in a way that can provide SSO. > For CAS SSO to work, it sends a cookie to the user's browser (TGC). If > your application does the log in and then communicates with CAS, then there > will be no cookie, and no SSO. > > It sounds like you have two different user bases, one in your > application's database and one for CAS. > > Do you have any control of CAS and its configuration? > > What happens if a user logs in to an application in a different domain and > then goes to your service, will they have to log in again? > > CAS offers a REST interface, > https://apereo.github.io/cas/6.1.x/protocol/REST-Protocol.html > > If I am not leading you down the right path, perhaps you could draw the > log in flow. > > Ray > > On Mon, 2019-12-16 at 11:30 -0800, Fernando Gómez wrote: > > One of the big limitations that I have at the organization's policy level > is that I cannot allow anything external to the organization to go against > our database, due to data protection and user issues, that is why I have to > service our that is implemented, tested, validated and audited, then > connect CAS with our service and it will return the answer if the user can > enter or not, in addition to their role, name and personal data, but in > this case the only thing I owe See at this time and I think that you could > guide me, it is how I delegate the authentication to a custom handler, that > just when I enter my username and password I can call a class in java that > is in charge of communicating with my service. > Unfortunately I have to do a very customized customization, where the CAS > engine, basically is for the SSO function, to be accredited in the > different domains we have. > > El lunes, 16 de diciembre de 2019, 16:11:52 (UTC-3), rbon escribió: > > Fernando, > > CAS can connect to the database for authentication, > https://apereo.github.io/cas/6.1.x/installation/Database-Authentication.html > It can also get attributes from a database, > https://apereo.github.io/cas/6.1.x/integration/Attribute-Resolution.html > which can be released to your application with SAML1.1 or CAS protocol v3, > https://apereo.github.io/cas/6.1.x/protocol/Protocol-Overview.html > > You say 'What I use for login is the CAS', then you say, 'I have to solve > is the authentication'. Login with CAS _is_ authentication. Do you mean > authorization? That is, what actions a user might perform in your > application (read data, update data etc.)? > > If you are trying to restrict user access to your application, CAS can do > that with attributes from the database. In the service definition, you can > say a user must have this attribute and value to log in, > https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Access-Strategy.html > > The roll of CAS comes first, is the user whom they claim to be? If yes, > then your application has to determine what the user can do. > > Just in case your application has to make calls to another application > (not to a database), there is the proxy flow that CAS offers, > https://apereo.github.io/cas/6.1.x/installation/Configuring-Proxy-Authentication.html > > I hope this clears things up. > > Ray > > On Mon, 2019-12-16 at 10:41 -0800, Fernando Gómez wrote: > > Hi Ray, I really appreciate you answering me; It is possible that I > explained myself badly, for my implementation and for this post, I am > abstracting from the client, assuming that it already exists as indeed it > is. What I use for login is the CAS but what I have to solve is the > authentication, that process cannot be done to CAS, I must use my external > services that go against my database, the user looks for compares the user > and password and it returns a result which I pass it to the CAS server, and > CAS must generate the tickets to be able to enter my application that I > already have, my doubts is how do I tell CAS to check my external service? > > > > El lunes, 16 de diciembre de 2019, 15:15:26 (UTC-3), rbon escribió: > > Fernando, > > The purpose of CAS is to eliminate your application's login page. > For your application to use CAS, it needs a CAS client, > https://apereo.github.io/cas/6.1.x/integration/CAS-Clients.html > > A simplified CAS login flow might be: > > visit your application (cas client checks if user is logged in) > redirect to cas > enter username/password > redirect to your application with username (and optionally some other user > attributes) > > You want to avoid having a user's password. If it is really necessary, it > can be retrieved from CAS. > > Ray > > On Mon, 2019-12-16 at 09:57 -0800, Fernando Gómez wrote: > > > Greetings dear community, I am writing on this occasion for need of > guidance from you. > > I have the following development scheme for an implementation of CAS SSO > V6 for the University. > > > The life cycle that I must implement is as follows: The user enters his > username and password, through POST the data passes to my classes that must > receive the information, encode it and then send it to an external service > of mine that is responsible for validating and to obtain the information of > the user to my database, then my service generates a response that is > returned to the CAS server, and if it is an affirmative answer, CAS allows > the entry, if it is not, it rejects it. > > > In theory there would be no complication but, I don't get the way or the > documentation or an example, how to connect CAS SSO version 6, with my > services, could someone help me guide me with some example some document > that I can analyze to achieve the goal? I have reviewed all of the official > documentation and I do not get how to do it, I have given it many laps and > invested months and nothing, so I come to you to see if someone can only > guide me what route to take, or where to investigate, basically: How do I > do that when the details of the CAS login form are filled in, I send that > information by POST to a class of mine and that class to a service with an > external URL, how do I connect CAS to my JAVA classes? > > > Grateful in advance. > > > > Fernando > > [image: life cicle cas sso elpais.png] > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] <javascript:> > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9df80df8-4c88-493f-a12d-94b5110d11e2%40apereo.org.
