Can a application passing user id as a private key encrypted value access another application which uses CAS for SSO

1
votes

Lets say we have two applications

  1. App1 using CAS for authentication
  2. External application App2 some custom authentication

And a user with id 'user1'. This user once log in to App2 we want to display a link (link for App1) which allow the user to login to App1. User once clicks the link should be taken to App1.

App2 passes only the user id encrypted with a private key to App1. It will not pass password.

User ---------> External App2 -----Encrypted user id-----> CAS ===== App1

Is this possible to implement, as the request does not contain password? Could you please guide me on the approach as this is first time I am working on CAS and SSO.

Your help is much appreciated.

We are using CAS 3.4 and Spring 3 integration.

1
spring-securitysingle-sign-oncas

1 Answers

1
votes

Yes, this is possible, In your App1 you no need to check the password , because CAS will Authenticate, and in the other App level when you click your link (APP1) you have to pass Access token and username, in your App1 you have to use CAS libraries, those libraries will check the request is coming from trusted site or not and Access token (here we are calling as service tickets and proxy granted tickets) is valid or not. one these two check are done your authentication function / method will gets execute (you have to configure like this), if user name is exist in your data base you have to create a session and you can assume it login. the functionality may vary based on the technology and requirement.