Hello,
Actually we're using CAS with X509 smartcard certificate and
login/password against AD as a fallback authentication method.
Here's the major issues I had to solve :
- The wiki entry about X509 [1] does not cover our use case,
unfortunately : Apache front-end + mod_jk + Tomcat, in this case, Apache
must bring to tomcat the whole certificate, some configuration is needed
to achieve this point
- We do not manage the certificates, it's done by a third party
company so I had to write a Credential to Principal resolver class to
extract the right attribute (kerberos principal recorded in
subjectAltName field in our case)
- CRL checking is critical with X509 certificates, but ldap lookups
for CRLs are not yet implemented by classes bundled with CAS, thanks to
Marvin for giving me a workaround.
Rgds.
[1] https://wiki.jasig.org/display/CASUM/X.509+Certificates
Le 13/01/2012 17:16, Eric Hanson a écrit :
Has anyone worked on CAC/PKI enabling CAS? We use CAS to authenticate users to
our Sakai instance. As a US Department of Defense medical school we would like
to leverage the Common Access Card which all military personnel use to
authenticate to networks so that once the user authenticates to their system
they would also be able to authenticate to CAS and its supported systems.
Has anyone done work in this area?
Thank you,
Eric
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
