cas openid authentication
Allen Chen
chqh at scut.edu.cn
Wed Mar 26 10:52:10 EDT 2008
Hi, I am working on enable openid for cas.
Now, I can make the CAS retrieve the openid request and pass the authencation.
Since the cas is working on the dumb mode.
And I just construct the request by setting
openid.mode="checkid_immediate"
openid.return_to="http://allenpc:3000/soid/back.jsp"
openid.identity="http://open.scut.edu/allen"
the I just post the request by submiting a form with post method.
And the CAS identified the openid and extract the username "allen", and the login form for cas is promoted.
After user allen login successfully, the cas return following request infomation:
openid.signed identity,return_to
openid.assoc_handle ST-2-IVG2I1oalBrRtTMLypNa-cas
openid.identity http://open.scut.edu/allen
openid.return_to http://allenpc:3000/soid/back.jsp
openid.mode id_res
openid.sig ER00UaIvP4CQGdbPsuyg0NZjfz0=
then I use the openid.mode=check_authentication to check the response is valid.
Then I get the following:
openid.mode:id_res
is_valid:true
My question is that the method I used is not so secure for the openid relying party to trust the cas authentication. Have any way to make it more safe? Something like CAS use SSL to send the TGC to the user?
What's more, the org.jasig.cas.support.openid.authentication.handler.support.OpenIdCredentialsAuthenticationHandler and org.jasig.cas.support.openid.authentication.principal.OpenIdCredentialsToPrincipalResolver seems never work, only the SimpleTestUsernamePasswordAuthenticationHandler works for the login authentication. I follow exactly the wiki instruction to config, so I don't get it why it happens.
Thank you in advance!
Allen Chen
2008-03-26
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080326/0bb2d31f/attachment.html
More information about the cas
mailing list