cas openid authentication

Scott Battaglia scott.battaglia at gmail.com
Wed Mar 26 11:13:27 EDT 2008 

Even with the OpenIdCredentialsAuthenticationHandler, you still need to
configure an AuthenticationHandler that can authenticate your users.  The
OpenId handler is merely to confirm that the TGT principal and the OpenId
principal match on subsequent requests.

-Scott

On Wed, Mar 26, 2008 at 10:52 AM, Allen Chen <chqh at scut.edu.cn> wrote:

>  Hi, I am working on enable openid for cas.
>
> Now, I can make the CAS retrieve the openid request and pass the
> authencation.
> Since the cas is working on the dumb mode.
>  And I just construct the request by setting
> openid.mode="checkid_immediate"
> openid.return_to="http://allenpc:3000/soid/back.jsp"
> openid.identity="http://open.scut.edu/allen"
>
> the I just post the request by submiting a form with post method.
>
> And the CAS identified the openid and extract the username "allen", and
> the login form for cas is promoted.
> After user allen login successfully, the cas return following request
> infomation:
>
> openid.signed       identity,return_to
> openid.assoc_handle       ST-2-IVG2I1oalBrRtTMLypNa-cas
> openid.identity       http://open.scut.edu/allen
> openid.return_to       http://allenpc:3000/soid/back.jsp
> openid.mode       id_res
> openid.sig       ER00UaIvP4CQGdbPsuyg0NZjfz0=
>
> then I use the openid.mode=check_authentication to check the response is
> valid.
> Then I get the following:
> openid.mode:id_res
> is_valid:true
>
>
> My question is that the method I used is not so secure for the openid
> relying party to trust the cas authentication. Have any way to make it more
> safe? Something like CAS use SSL to send the TGC to the user?
>
> What's more, the
> org.jasig.cas.support.openid.authentication.handler.support.OpenIdCredentialsAuthenticationHandlerand
> org.jasig.cas.support.openid.authentication.principal.OpenIdCredentialsToPrincipalResolverseems never work, only the SimpleTestUsernamePasswordAuthenticationHandler
> works for the login authentication. I follow exactly the wiki instruction to
> config, so I don't get it why it happens.
>
> Thank you in advance!
>
>  ------------------------------
>  Allen Chen
> 2008-03-26
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>


-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080326/022e7220/attachment.html

More information about the cas mailing list