OK.  Captured as https://issues.jasig.org/browse/CAS-1020


On Tue, Aug 2, 2011 at 12:16 PM, Scott Battaglia
<[email protected]> wrote:
>
>
> On Tue, Aug 2, 2011 at 12:05 PM, Andrew Petro <[email protected]> wrote:
>>
>> <snip />
>> Another thought is that ability to login to CAS without logging in to a
>> particular service is a misfeature at this point in CAS's evolution.  In
>> practice, too few users and institutions are prepared to understand, brand,
>> and support what is at best a fringe use case of logging in to CAS for the
>> sake of establishing an SSO session without logging in to any CAS-reliant
>> service.  I don't want to log in to CAS.  I want to log in to the portal, or
>> LMS, or something, and maybe that incidentally creates an SSO session.  As
>> such, I suggest that CAS evolve to not bother to prompt for credentials and
>> instead present a polite but useless message when users visit CAS directly
>> without specifying a service - retire the
>> issuing-TGT-for-the-sake-of-establishing-SSO-session-only feature.
>
> +1
> though you need to cover the case when you're already logged into CAS and
> you get to that page.
>
>
>>
>> Andrew
>>
>>
>> On 08/02/2011 11:08 AM, William G. Thompson, Jr. wrote:
>>
>> Possibly another edge case...not sure.
>>
>> * Configure casapp service to opt-out of SSO via SM
>> * Login directly to cas without a service parameter  (i.e. /cas/login)
>>  and get a TGT
>> * Login to casspp without credential challenge.  (expected to be
>> challenged)
>>
>> The result is an ability to by-pass the CAS Administrators indication
>> that the app in question opt-out of SSO and always challenge for
>> credentials.
>>
>> from CentralAuthenticationServiceImpl.grantServiceTicket():
>>         if (!registeredService.isSsoEnabled() && credentials == null
>>             && ticketGrantingTicket.getCountOfUses() > 0) {
>>             log.warn("ServiceManagement: Service Not Allowed to use
>> SSO.  Service [" + service.getId() + "]");
>>             throw new UnauthorizedSsoServiceException();
>>
>> Since the TGT was issued by CAS without a ServiceTicket,
>> getCountOfUsers == 0, so no credential challenge is issued, despite
>> the config to do otherwise.
>>
>> I get that in practice it is likely that the CAS actually did just
>> challenge for credentials on the TGT issuance, so perhaps this is OK
>> from a security standpoint.  Still it confused the deployer/cas admin
>> for a bit.
>>
>> Thoughts?
>>
>> Bill
>>
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>>
>>
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-dev
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-dev

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to