Information Technology Reference
In-Depth Information
With both CAS and Shibboleth, the SSO ticketing model works roughly
analogously:
1.
A client application (browser) attempts to access a business application
2.
There is an interceptor of some sort that redirects the browser to an
SSO server. With Shibboleth, locating the SSO server is a little more
involved because it's not a local system.
3.
The SSO server challenges the browser to provide user authentication
credentials.
4.
Once the browser has submitted these credentials and the SSO server
has validated them in some way, it generates an Authentication Token
and an Application Access Token of its own and redirects the browser
back to the business application with the handle of the Application
Access Token. (The Authentication Token is given to the browser to
store as a session cookie and produce each time it returns to the SSO
server.)
5.
The interceptor again blocks the redirected request and finds the handle
of the Application Access Token. It issues a confirmation query to the
SSO server internally (without redirecting the request through the
browser) to check if this is a valid token.
6.
If the SSO server confirms the validity of the token, the interceptor
allows
access
to
the
application,
after
optionally
checking
the
accompanying user attributes.
