Hi there,We currently have a CAS server installation running. We got the X509 authentication handler running (good!) and the LDAP authentication handler running (also good!). But currently these two exist only as separate sequential steps (not so good). What we ideally want is a configuration whereby CAS will reject authentication requests where the supplied certificate does not correspond to the person identified in the LDAP bind step. (i.e., the certificate's subject email address does not match the email address in the LDAP for the supplied username.)
From what I've read of CAS it does not appear to support this. Any certificate signed by a trusted CA is accepted by CAS. There is a way to extract the subject email address from the certificate (using credentialsToPrincipalResolver), and there's also a means to map from a user id to an email address supplied in an LDAP - but it does not seem possible to add custom logic to compare these two, (and if the check passes, then populate the principal resolver with the username - not the email address)
Currently one of our application servers has a single server+client certificate signed by a well known root CA. Consequently, our CAS installation will authenticate any visitor who presents a valid (server-) certificate signed by this CA - regardless of the subject of the certificate. This sadly renders the X509 check redundant as its trivial for an external person to acquire a certificate from a root CA.
Furthermore we want to ensure that one of our employees cannot easily access another user's account if they only have the other user's password. Yet our current CAS installation allows this (i.e., they can just use their own certificate - CAS doesn't care)
Is this something CAS can do for us? If not - is already on the radar (wishlist) yet?
Cheers Andy -- Andy Cowling | UK Core IT Interactive Data Managed Solutions Ltd ------------------------------------------------------------------------------------------------------------------------------- Suite 1101, Eagle Tower | Montpellier Drive | Cheltenham GL50 1TA | UK Tel: +44 (0)1242 6941 15 | Fax: +44 (0)1242 6941 01 [email protected] http://www.interactivedata-ms.com <http://www.interactivedata-ms.com/>This message (including any files transmitted with it) may contain confidential and/or proprietary information, is the property of Interactive Data Corporation and/or its subsidiaries, and is directed only to the addressee(s). If you are not the designated recipient or have reason to believe you received this message in
error, please delete this message from your system and notify the senderimmediately. An unintended recipient's disclosure, copying, distribution, or
use of this message or any attachments is prohibited and may be unlawful.Interactive Data (Europe) Ltd Registered No. 949387 England Registered Office:
Fitzroy House 13-17 Epworth Street. London. EC2A 4DL
smime.p7s
Description: S/MIME Cryptographic Signature
