CASUM/OpenID

Sewell K H (LCSS) khsewell at glam.ac.uk
Wed Jan 23 08:20:54 EST 2008 

For info, I'm now using this (until the config in confluence is  
corrected), which seems to work fine (and I'm still using the default  
OpenIdUserNameExtractor):

<action-state id="initialFlowSetup">
     <action bean="initialFlowSetupAction" />
     <transition on="success" to="selectFirstAction" />
</action-state>

<decision-state id="selectFirstAction">
     <if test="$ 
{externalContext.requestParameterMap['openid.trust_root'] != ''  
&amp;&amp; externalContext.requestParameterMap['openid.trust_root'] !=  
null}"
         then="openIdSingleSignOnAction"
         else="ticketGrantingTicketExistsCheck" />
</decision-state>

<action-state id="openIdSingleSignOnAction">
     <action bean="openIdSingleSignOnAction" />
     <transition on="success" to="sendTicketGrantingTicket" />
     <transition on="error" to="viewLoginForm" />
     <transition on="warn" to="warn" />
</action-state>

Regards,
Kevin

On 21 Jan 2008, at 18:45, Scott Battaglia wrote:

> I think you're right.  It should throw an error if the principals  
> don't match and force you to log in again.  Not sure how the  
> configuration got put into confluence wrong.
>
> -Scott
>
> On Jan 21, 2008 12:52 PM, Sewell K H (LCSS) <khsewell at glam.ac.uk>  
> wrote:
> Can't rely on me, sorry, I don't really know what I'm doing yet.
>
> I found that if a user has already authenticated with CAS (say, via  
> mod_auth_cas), and then revisits the CAS server via an OpenID  
> relying party, the CAS server will verify any URL.
>
> I guessed that this is because the Principals are different (so  
> "error" in the openIdSingleSignOnAction), and so  
> "ticketGrantingTicketExistsCheck", which will exist as a user has  
> already authenticated (?). I'm not familiar with webflow though, so  
> I don't know if the problem is further on down, e.g.,  
> "renewRequestCheck".
>
> Anyway, eventually the user should probably re-authenticate  
> ("viewLoginForm") if the Principals are different. Also, all the  
> other "error"s in  login-webflow.xml are "viewLoginForm".
>
> Cheers,
> Kevin
>
>
> On 21 Jan 2008, at 16:30, Scott Battaglia wrote:
>
>> You're definitely right about the incorrect  
>> CredentialsToPrincipalResolver.  I've updated our wiki about that.   
>> I can't recall the other thing off the top of my head and I'm not  
>> set up to test it right now. I'm guessing you have?
>>
>> -Scott
>>
>> On Jan 21, 2008 10:52 AM, Sewell K H (LCSS) <khsewell at glam.ac.uk>  
>> wrote:
>> Hi,
>>
>> I've read and followed http://www.ja-sig.org/wiki/display/CASUM/OpenID 
>> .
>>
>> I'm a bit of a noob, so could you confirm that this:
>>
>> <action-state id="openIdSingleSignOnAction">
>>        <action bean="openIdSingleSignOnAction" />
>>        <transition on="success" to="sendTicketGrantingTicket" />
>>        <transition on="error" to="ticketGrantingTicketExistsCheck" />
>>        <transition on="warn" to="warn" />
>>     </action-state>
>>
>> is supposed to be, or is more properly:
>>
>> <action-state id="openIdSingleSignOnAction">
>>         <action bean="openIdSingleSignOnAction" />
>>         <transition on="success" to="sendTicketGrantingTicket" />
>>         <transition on="error" to="viewLoginForm" />
>>         <transition on="warn" to="warn" />
>> </action-state>
>>
>> and this:
>>
>> <bean
>> class
>> =
>> "org
>> .jasig
>> .cas
>> .support
>> .openid
>> .authentication.principal.OpenIdCredentialsAuthenticationHandler" />
>>
>> is supposed to be:
>>
>> <bean
>> class
>> =
>> "org
>> .jasig
>> .cas
>> .support
>> .openid
>> .authentication.principal.OpenIdCredentialsToPrincipalResolver" />
>>
>> Thanks,
>> Kevin
>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>>
>> -- 
>> -Scott Battaglia
>>
>> LinkedIn: http://www.linkedin.com/in/scottbattaglia  
>> _______________________________________________
>>
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> -- 
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia  
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080123/1dcfa3db/attachment.html

More information about the cas mailing list