CASUM/OpenID

Sewell K H (LCSS) khsewell at glam.ac.uk
Mon Jan 21 12:52:16 EST 2008 

Can't rely on me, sorry, I don't really know what I'm doing yet.

I found that if a user has already authenticated with CAS (say, via  
mod_auth_cas), and then revisits the CAS server via an OpenID relying  
party, the CAS server will verify any URL.

I guessed that this is because the Principals are different (so  
"error" in the openIdSingleSignOnAction), and so  
"ticketGrantingTicketExistsCheck", which will exist as a user has  
already authenticated (?). I'm not familiar with webflow though, so I  
don't know if the problem is further on down, e.g., "renewRequestCheck".

Anyway, eventually the user should probably re-authenticate  
("viewLoginForm") if the Principals are different. Also, all the other  
"error"s in login-webflow.xml are "viewLoginForm".

Cheers,
Kevin


On 21 Jan 2008, at 16:30, Scott Battaglia wrote:

> You're definitely right about the incorrect  
> CredentialsToPrincipalResolver.  I've updated our wiki about that.   
> I can't recall the other thing off the top of my head and I'm not  
> set up to test it right now. I'm guessing you have?
>
> -Scott
>
> On Jan 21, 2008 10:52 AM, Sewell K H (LCSS) <khsewell at glam.ac.uk>  
> wrote:
> Hi,
>
> I've read and followed http://www.ja-sig.org/wiki/display/CASUM/ 
> OpenID.
>
> I'm a bit of a noob, so could you confirm that this:
>
> <action-state id="openIdSingleSignOnAction">
>        <action bean="openIdSingleSignOnAction" />
>        <transition on="success" to="sendTicketGrantingTicket" />
>        <transition on="error" to="ticketGrantingTicketExistsCheck" />
>        <transition on="warn" to="warn" />
>     </action-state>
>
> is supposed to be, or is more properly:
>
> <action-state id="openIdSingleSignOnAction">
>         <action bean="openIdSingleSignOnAction" />
>         <transition on="success" to="sendTicketGrantingTicket" />
>         <transition on="error" to="viewLoginForm" />
>         <transition on="warn" to="warn" />
> </action-state>
>
> and this:
>
> <bean
> class
> =
> "org
> .jasig
> .cas
> .support
> .openid
> .authentication.principal.OpenIdCredentialsAuthenticationHandler" />
>
> is supposed to be:
>
> <bean
> class
> =
> "org
> .jasig
> .cas
> .support
> .openid
> .authentication.principal.OpenIdCredentialsToPrincipalResolver" />
>
> Thanks,
> Kevin
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> -- 
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia  
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080121/7e1d0898/attachment.html

More information about the cas mailing list