[cas-dev] About CAS and X509 authentication

[Bruno Bonfils]

Hello, 

first of all, since it's my first mail, I'll introduce myself in a short
way. I actually work in a company which use only freesoftware, and I'm a
member of the security team. In this context, I work a lot with PKI and
SSO, and sometimes in identity management.

For a customer, I'm currently deploying a CAS server with X509
authentication. Though, the user certificate is protected by a hardware
token, since this token is IAS (some french specific stuff) compliant,
the user is requested to type his PIN *each* time the private key is
requested (this protection is achieve by the middleware). So, the 'SSO'
is a bit broken (each time the user request for a ST, he needs to type
his PIN).

To bypass this behavior, we add two connectors to the same tomcat, one
in SSLv3 (client certificate required) and one in SSLv2 (only server
authentication), and develop a little filter which redirect user from
SSLv2 to SSLv3 if there is no TGC cookie sent by the user.

Do you think that's break something in CAS security ? We actually
testing this method and looks working good, feel free to ask code if
you're interested by this filter.

Thanks a lot for CAS, it's a very good software !

-- 
http://asyd.net/home/   - Home Page
http://guses.org/home/  - French Speaking (Open)Solaris User Group