Authentication providers that require a redirect

[Andrew Petro]

Arnout,

It is quite feasible to "CASify" or "PubCookify" or use OpenID to 
authenticate to or otherwise to layer another authentication system, 
requiring a redirect, in front of CAS.

This is typically accomplished by using the client libraries for those 
other protocols, and often involves use of a Javsa Servlet Filter.  At 
least, these are the approaches I tend to recommend.

Under this approach, the work of the CAS AuthenticationHandler becomes 
more that of trusting information set into the request or session by the 
fronting client library usage than one of validating the credentials 
involved in the layered-in-front authentication protocol.

Andrew

Arnout Engelen wrote:
> Hi,
>
> I understand CAS can use many back-ends for performing the desired
> authentication of a user. 
>
> Looking at http://www.ja-sig.org/products/cas/server/authenticationhandler,
> it looks like the AuthenticationHandler must perform the entire
> authentication 'under water' based on the Credentials passed to it. I
> don't see any way to support authentication providers that require
> redirecting the user's browser to the authentication provider - such as
> for example OpenID, A-Select or similar services.
>
> Is this correct? If not, how can I implement support for such an
> authentication backend? Any examples/pointers?
>
> If so, looking at http://www.ja-sig.org/products/cas/overview/protocol,
> it's not entirely obvious to me whether this is a limitation of the CAS
> protocol, or merely a limitation of the current CAS implementation. If
> the latter is the case, would this be hard to add? 
>
>
> Kind regards,
>
> Arnout
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>