Google style SSO login

[rajeshyogeshwar]

Well, first thing I couldn't come up with better title for issue so apologies. Now, to the situation I have django-mama-cas as my cas server, and I am using django-cas-ng on three other applications. I have followed instruction for django-cas-ng as specified on your github page. A simple scenario, my apps are A, B, C when I successfully login into A then switch to tab and request login page for B I should be logged into B automatically(If I am not wrong this is what SSO is meant to do). How using django-cas-ng and django-mama-cas I can achieve this?

[nitmir]

Single Sign On perfectly work out of the box with django-cas-ng and jasig CAS (unless the user checked "Warn me before logging me into other sites.").

I never used mama-cas so I don't know if there is a special manipulation to do to get SSO to work.

Did you add the urls of you apps A, B, C to the list of allowed services on the CAS ?

Beware, SSO is sometimes used to refer to SIngleSignOn and sometimes to SigleSignOut cf https://wiki.jasig.org/display/CASUM/Single+Sign+Out so it can be confusing

[rajeshyogeshwar]

@nitmir Can you explain the flow from client side in case of single sign on in django-cas-ng? Because at the moment I am using a cookie based solution to make it work, but I would rather prefer not to do it this way. I know I must be surely missing something in configuration.
In my case A, B, C all are on same domain, as is my CAS. If I add urls of A, B, C to CAS's list of allowed services does it mean I can drop cookie based flow? It's a bit unclear to me atm

[nitmir]

@Rajesh-Yogeshwar If the client is already authenticated to the cas and want to access service A, the following happen :
https://A -> 302 redirect -> https://cas/login?service=A -> 302 redirect -> https://A?ticket=ST-SQjd…
In background the service A fetch https://cas/serviceValidate?service=A&ticket=ST-SQjd…
the cas responds OK if the ticket is valid and user is logged to service A, else the cas responds with an error and the user is not logged.

If the client is not authenticated to the CAS https://cas/login?service=A should display a login form, when on successful login to the cas the user is redirected to https://A?ticket=ST-SQjd…

Usually all services and the CAS are on different domains but that's not mandatory and I have a couples of services on the same domains working fine. Just be careful that a service A do not erase some cookies of service B (for example service A and B on the same domain should not use the same cookie name to handle sessions or else the user wont be able to login service A and B in the same time)

Indeed if you use the CAS to authenticate user, you should not need some shared cookies across services.

[rajeshyogeshwar]

This is the kind of explanation that needs to be in readme. I am working on my dev machine and every thing is hosted on localhost. So probably because of this I am not able to get it working. Thank you for a good explanation

[morocarlo]

@Rajesh-Yogeshwar it is working in production? If i use different cookie session name is working?

[rajeshyogeshwar]

@morocarlo Yes. I got it working. But what I did was take idea from explanation provided by @nitmir and rolled my own little solution. Its been working on my company's private applications for more than a year.

[diegoduncan21]

Hi, @Rajesh-Yogeshwar, i can't log in automatically with differents domains, how you do that?

[rajeshyogeshwar]

@diegoduncan21 I am on same domain, only different subdomains. @nitmir has explained it how it should be done.