I have own Jasig CAS server:
https://cas.example.com
Also, I have two subdomains(applications) connected to this CAS server, for example:
https://ui.example.com
https://api.example.com
I can successfully create ST ticket for https://ui.example.com with a following request:
https://cas.example.com/login?service=https://ui.example.com
response:
https://cas.example.com/?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com/
but I'm unable to use this ticket for https://api.example.com
https://api.example.com/api/v1.0/account?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com
with a following error:
access to this resource is forbidden","errors":[{"field":"BadCredentialsException","message":"\n Ticket \u0027ST-5-p5rVK3OWBKPzwAAZteNw-cas-dev.cfwdev.com\u0027 does not match supplied service. The original service was \u0027https://ui.example.com/\u0027 and the supplied service was \u0027https://api.example.com/api/v1.0/account
This is my service configuration:
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^(http?|https?)://.*example.com/.*",
"name" : "example.com dev
"theme" : example
"id" : 20000002,
"description" : "example.com dev environment",
"proxyPolicy" : {
"@class" : "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^(http?|https?)://.*example.com/.*"
},
"evaluationOrder" : 2,
"usernameAttributeProvider" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"logoutType" : "BACK_CHANNEL",
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
},
"accessStrategy" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
Is it possible to issue one ST ticket that will be accepted by both of these subdomains https://ui.example.com and https://api.example.com ?
It is impossible with Jasig CAS