Using the API with Federated Sign-in Module

To use the PAM APIs with the Federated Sign-in Module enabled please follow the procedure described in the Secure Authentication / Federated Authentication using this API guide.

There is a cas_auth function in the script example including the function itself and the example of its use.

For the token-based authentication for scripts (so to use it without user and password) look for the token_auth function on the same page.

In short, the flow is that the script takes user/password or a token and exchanges it for ticket-granting-ticket (TGT) in the Federated Sign-in Module returned in the Location header.

Then it posts to this location exchanging a ticket-granting-ticket to a service ticket (ST).

Then it uses PAM to exchange Service Ticket for a cookie (JSESSION) that it can use for all subsequent REST API calls.

Tickets are short-lived, whereas cookies are not. It is a standard practice for the headless federated sign in and is outlined in the cas_auth/token_auth examples.