CASUM/OpenID

Sewell K H (LCSS) khsewell at glam.ac.uk
Thu Jan 24 06:53:45 EST 2008 

OpenID configuration doc updated.

Anyone using CAS as an OpenID provider with the previously suggested  
login-webflow.xml configuration, should now use its new configuration  
(see http://www.ja-sig.org/wiki/display/CASUM/OpenID), or their own.

The suggested configuration now checks openid.mode before handing to  
openIdSingleSignOnAction or ticketGrantingTicketExistsCheck.

Regards,
Kevin

On 23 Jan 2008, at 14:41, Scott Battaglia wrote:

> Kevin,
>
> Would you mind correcting this in Confluence?  If you create an  
> account, you should have the ability to edit that page.
>
> Thanks!
> -Scott
>
> On Jan 23, 2008 8:20 AM, Sewell K H (LCSS) < khsewell at glam.ac.uk>  
> wrote:
> For info, I'm now using this (until the config in confluence is  
> corrected), which seems to work fine (and I'm still using the  
> default OpenIdUserNameExtractor):
>
> <action-state id="initialFlowSetup">
>     <action bean="initialFlowSetupAction" />
>     <transition on="success" to="selectFirstAction" />
> </action-state>
>
> <decision-state id="selectFirstAction">
>     <if test="$ 
> {externalContext.requestParameterMap['openid.trust_root'] != ''  
> &amp;&amp; externalContext.requestParameterMap['openid.trust_root'] ! 
> = null}"
>         then="openIdSingleSignOnAction"
>         else="ticketGrantingTicketExistsCheck" />
> </decision-state>
>
> <action-state id="openIdSingleSignOnAction">
>     <action bean="openIdSingleSignOnAction" />
>     <transition on="success" to="sendTicketGrantingTicket" />
>     <transition on="error" to="viewLoginForm" />
>     <transition on="warn" to="warn" />
> </action-state>
>
> Regards,
> Kevin
>
> On 21 Jan 2008, at 18:45, Scott Battaglia wrote:
>
>> I think you're right.  It should throw an error if the principals  
>> don't match and force you to log in again.  Not sure how the  
>> configuration got put into confluence wrong.
>>
>> -Scott
>>
>> On Jan 21, 2008 12:52 PM, Sewell K H (LCSS) <khsewell at glam.ac.uk>  
>> wrote:
>> Can't rely on me, sorry, I don't really know what I'm doing yet.
>>
>> I found that if a user has already authenticated with CAS (say, via  
>> mod_auth_cas), and then revisits the CAS server via an OpenID  
>> relying party, the CAS server will verify any URL.
>>
>> I guessed that this is because the Principals are different (so  
>> "error" in the openIdSingleSignOnAction), and so  
>> "ticketGrantingTicketExistsCheck", which will exist as a user has  
>> already authenticated (?). I'm not familiar with webflow though, so  
>> I don't know if the problem is further on down, e.g.,  
>> "renewRequestCheck".
>>
>> Anyway, eventually the user should probably re-authenticate  
>> ("viewLoginForm") if the Principals are different. Also, all the  
>> other "error"s in  login-webflow.xml are "viewLoginForm".
>>
>> Cheers,
>> Kevin
>>
>>
>> On 21 Jan 2008, at 16:30, Scott Battaglia wrote:
>>
>>> You're definitely right about the incorrect  
>>> CredentialsToPrincipalResolver.  I've updated our wiki about  
>>> that.  I can't recall the other thing off the top of my head and  
>>> I'm not set up to test it right now. I'm guessing you have?
>>>
>>> -Scott
>>>
>>> On Jan 21, 2008 10:52 AM, Sewell K H (LCSS) <khsewell at glam.ac.uk>  
>>> wrote:
>>> Hi,
>>>
>>> I've read and followed http://www.ja-sig.org/wiki/display/CASUM/OpenID 
>>> .
>>>
>>> I'm a bit of a noob, so could you confirm that this:
>>>
>>> <action-state id="openIdSingleSignOnAction">
>>>        <action bean="openIdSingleSignOnAction" />
>>>        <transition on="success" to="sendTicketGrantingTicket" />
>>>        <transition on="error"  
>>> to="ticketGrantingTicketExistsCheck" />
>>>        <transition on="warn" to="warn" />
>>>     </action-state>
>>>
>>> is supposed to be, or is more properly:
>>>
>>> <action-state id="openIdSingleSignOnAction">
>>>         <action bean="openIdSingleSignOnAction" />
>>>         <transition on="success" to="sendTicketGrantingTicket" />
>>>         <transition on="error" to="viewLoginForm" />
>>>         <transition on="warn" to="warn" />
>>> </action-state>
>>>
>>> and this:
>>>
>>> <bean
>>> class
>>> =
>>> "org
>>> .jasig
>>> .cas
>>> .support
>>> .openid
>>> .authentication.principal.OpenIdCredentialsAuthenticationHandler" />
>>>
>>> is supposed to be:
>>>
>>> <bean
>>> class
>>> =
>>> "org
>>> .jasig
>>> .cas
>>> .support
>>> .openid
>>> .authentication.principal.OpenIdCredentialsToPrincipalResolver" />
>>>
>>> Thanks,
>>> Kevin
>>>
>>> _______________________________________________
>>> Yale CAS mailing list
>>> cas at tp.its.yale.edu
>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>>
>>>
>>>
>>> -- 
>>> -Scott Battaglia
>>>
>>> LinkedIn: http://www.linkedin.com/in/scottbattaglia  
>>> _______________________________________________
>>>
>>> Yale CAS mailing list
>>> cas at tp.its.yale.edu
>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>>
>>
>> -- 
>> -Scott Battaglia
>>
>> LinkedIn: http://www.linkedin.com/in/scottbattaglia  
>> _______________________________________________
>>
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> -- 
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia  
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080124/bad686f3/attachment.html

More information about the cas mailing list