WORKERS AHEAD!

You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. To view the documentation for a specific Apereo CAS server release, please choose an appropriate version. The release schedule is also available here.

Ticket Expiration Policies

CAS supports a pluggable and extensible policy framework to control the expiration policy of ticket-granting tickets (TGT), proxy-granting tickets (PGT), service tickets (ST) and proxy tickets (PT).

There Is More

There are many other types of artifacts in CAS that take the base form of a ticket abstraction. Each protocol or feature may introduce a new ticket type that carries its own expiration policy and you will need to consult the documentation for that feature or behavior to realize how expiration policies for its own ticket types may be tuned and controlled.

Ticket-Granting Ticket Policies

TGT expiration policy governs the time span during which an authenticated user may grant STs with a valid (non-expired) TGT without having to re-authenticate. An attempt to grant an ST with an expired TGT would require the user to re-authenticate to obtain a new (valid) TGT.

Default

This is the default option, which provides a hard-time out as well as a sliding window.

Ticket expiration policies are activated in the following conditions:

If the timeout values for the default policy are all set to zero or less, CAS shall ensure tickets are never considered expired.
Disabling a policy requires that all its timeout settings be set to a value equal or less than zero.
If not ticket expiration policy is determined, CAS shall ensure the ticket are always considered expired.

Keep What You Need!

You are encouraged to only keep and maintain properties and settings needed for a particular policy. It is UNNECESSARY to grab a copy of all fields or keeping a copy as a reference while leaving them commented out. This strategy would ultimately lead to poor upgrades increasing chances of breaking changes and a messy deployment at that.

Ticket expiration policies are activated in the following order:

Tickets are never expired, if and when settings for the default policy are configured accordingly.
Timeout
Default
Throttled Timeout
Hard Timeout
Tickets always expire immediately.

The following settings and properties are available from the CAS configuration catalog:

_{The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting is not strictly necessary in the end-user CAS configuration, because a default value may be assigned or the feature in question may not be immediately intended for use. You may want to own the setting and update it assigned value, assuming the intended feature controlled by the setting is utilized.}

_{The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value.}