Hi Bill, Thanks for the advice. ClearPass is already installed and working with a Liferay portal, but the .NET example you pointed me at really helped me get my test CGI going. I'm now getting org.jasig.cas.client.validation.InvalidProxyChainTicketValidationException, which I expect because I don't (yet) have the URL of the test CGI in the allowedProxyChains bean.
Is there a way that I could configure allowedProxyChains to accept any URL with a specific domain? Something that would automatically allow any path from any sub-domain, with an end of allowing, for example, https://**.devnet.example.edu/** but do not allow anything from example.edu or any other subdomain of example.edu unless they are separately specified? -- Joel Goguen Developer Enterprise Solutions Integrated Technology Services University of New Brunswick E-mail: [email protected] Phone: (506) 453-4872 Fax: (506) 453-3590 On 11-10-28 10:07, "William G. Thompson, Jr." <[email protected]> wrote: >On Wed, Oct 26, 2011 at 7:25 AM, Joel Goguen <[email protected]> wrote: >> I'm trying to figure out how to fetch a user's credentials from >>clearPass >> from a CGI script. Currently, this CGI script is behind a >>CAS-authenticated >> directory (using mod_auth_cas in Apache) but that could change if >> needed. I'm trying to use the Perl AuthCAS module, but I'm not having >>much >> luck whether I let Apache handle the CAS authentication or not. >> So far, I have been able to (outside a CAS directory) validate a service >> ticket ($cas->validateST()) and get a proxy ticket ($cas->receivePT()) >>and >> validate the proxy ticket ($cas->validatePT()), but I'm uncertain of >>where >> to go from there. The proxy callback URL I set in the CGI is another >>CGI I >> wrote that only stores the PGT and PGT IOU in a file using >>$cas->storePGT(). >> I suspect I will need to add the URL for the CGI to the >>allowedProxyChains >> bean in deployerConfigContext.xml as well? > >To start you need to make sure you have clearPass installed and >configured. >https://wiki.jasig.org/display/CASUM/ClearPass >https://github.com/wgthom/clearpass-cas > >Next...the CGIService needs to acquire a PGT when validating the ST. >Using the PGT, the CGIService must request a Proxy Ticket for clearPass. >Using the PT, CGIService requests username/password from clearPass. > >CasOwa provides an example of this using the .Net CAS Client: >https://github.com/wgthom/CasOwa/blob/master/CasOwaAuthHandler.cs > >Also note that your CGIService doesn't need to be configured to >accepted proxy tickets for authentication in order to use them. > >Best, >Bill > > >> -- >> Joel Goguen >> Developer >> Enterprise Solutions >> Integrated Technology Services >> University of New Brunswick >> E-mail: [email protected] >> Phone: (506) 453-4872 >> Fax: (506) 453-3590 >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > >-- >You are currently subscribed to [email protected] as: >[email protected] >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
