On Tue, Aug 2, 2011 at 12:05 PM, Andrew Petro <[email protected]> wrote:

> **
> <snip />
>
> Another thought is that ability to login to CAS without logging in to a
> particular service is a misfeature at this point in CAS's evolution.  In
> practice, too few users and institutions are prepared to understand, brand,
> and support what is at best a fringe use case of logging in to CAS for the
> sake of establishing an SSO session without logging in to any CAS-reliant
> service.  I don't want to log in to CAS.  I want to log in to the portal, or
> LMS, or something, and maybe that incidentally creates an SSO session.  As
> such, I suggest that CAS evolve to not bother to prompt for credentials and
> instead present a polite but useless message when users visit CAS directly
> without specifying a service - retire the
> issuing-TGT-for-the-sake-of-establishing-SSO-session-only feature.
>

+1

though you need to cover the case when you're already logged into CAS and
you get to that page.




>
> Andrew
>
>
>
> On 08/02/2011 11:08 AM, William G. Thompson, Jr. wrote:
>
> Possibly another edge case...not sure.
>
> * Configure casapp service to opt-out of SSO via SM
> * Login directly to cas without a service parameter  (i.e. /cas/login)
>  and get a TGT
> * Login to casspp without credential challenge.  (expected to be challenged)
>
> The result is an ability to by-pass the CAS Administrators indication
> that the app in question opt-out of SSO and always challenge for
> credentials.
>
> from CentralAuthenticationServiceImpl.grantServiceTicket():
>         if (!registeredService.isSsoEnabled() && credentials == null
>             && ticketGrantingTicket.getCountOfUses() > 0) {
>             log.warn("ServiceManagement: Service Not Allowed to use
> SSO.  Service [" + service.getId() + "]");
>             throw new UnauthorizedSsoServiceException();
>
> Since the TGT was issued by CAS without a ServiceTicket,
> getCountOfUsers == 0, so no credential challenge is issued, despite
> the config to do otherwise.
>
> I get that in practice it is likely that the CAS actually did just
> challenge for credentials on the TGT issuance, so perhaps this is OK
> from a security standpoint.  Still it confused the deployer/cas admin
> for a bit.
>
> Thoughts?
>
> Bill
>
>
>
> --
> You are currently subscribed to [email protected] as: 
> [email protected]
>
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-dev
>
>

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to