Information Technology Reference
In-Depth Information
Step 3:
The CAS server generates its two tokens (Ticket-Granting Ticket and Service
Ticket) before redirecting the browser back to the application. The
interceptor receives the Service Ticket as part of the redirected access
request and validates it against CAS. CAS retrieves user attributes stored in
the Ticket Registry and sends a response back to the interceptor. If
everything checks out, access is granted.
Fig 23: CAS SPNEGO Step 3
From the perspective of the interceptor, the only protocol it has to know
about is CAS. The domain names can be set up so that internal (LAN) users
and external users access the application through two slightly different URLs.
This difference in URLs is all the hint that CAS requires to use different
challenge protocols for the two types of user.
We recommend the same architectural approach when supporting any other
challenge/assertion protocol. Keep the interceptor logic simple and standard
(i.e., based on CAS). Delegate the actual challenge/validation logic to the
centralised server. This way, all complexity is contained within a single unit
