I go to my timesheet application. It redirects me to CAS to login. I login to CAS. CAS redirects me back to the timesheet application. I fill out my timesheet and otherwise use the timesheet application.
Notice that the timesheet didn't get to see my password.
Having punched in for the day, I then decide to go check on my production uPortal instance:
I go to my Portal instance. It redirects me to CAS to login. CAS detects my secure cookie and does the Single Sign On whereby I don't have to give my username and password again. CAS redirects me back to the portal. The portal validates the ticket, logs me into the Portal I see my default layout populated with some cool channels telling me it's really cold outside and what's in the news.
Notice that the portal didn't get my password.
Now I go to the email channel in the portal. The email channel needs to go get my email. It doesn't have my password. But it needs to authenticate to the backing IMAP server to get my email so it can display it to me.
So the portal takes its PGT, presents it to CAS to get a PT, and then presents that PT to (let's keep this simple) the IMAP server. Some IMAP servers can defer to PAM modules to do authentication, and so you can use PAM_CAS. PAM_CAS is configured to accept proxy tickets from the Portal.
So the PAM_CAS validates the ticket, checks that email is being requested for the user whom the ticket authenticates, and checks that the proxy chain is the expected one (namely, authentication was proxied through the portal).
The IMAP server trusts only the Portal to proxy authentication. The IMAP server will vend email to the Portal only for users for whom it proxies authentication.
If i don't log into the Portal, it can't get my mail. After my CAS session expires, it can't get my mail.
posted by Andrew Petro
Said another way...
CAS without proxy requires the browser in each authentication "transaction". In the case of a portal or other middle tier application, the component needing to authenticate isn't the browser, it's an application like a portal. So proxy authentication allows one application (portal) which accepted and validated a CAS ticket to get data from another application (email) which is configured to trust the first (portal).
posted by Susan Bramhall