On Fri, 11 Jan 2013, Dmitriy Kopylenko wrote:
Usually CAS client's useSession=true is the culprit here.
Dmitriy.
Sent from my iPhone
On Jan 11, 2013, at 19:45, Andrew Morgan <mor...@orst.edu> wrote:
On Wed, 9 Jan 2013, Andrew Petro wrote:
Hi Farzan,
Shibboleth can be complex, yes, with much to learn about it and many
opportunities to configure.
The CAS-Shibboleth bridging piece isn't too bad. Here's my favorite
solution:
https://github.com/Unicon/shib-cas-authenticator
I thought this presentation was pretty good:
https://wiki.jasig.org/x/AxMoAw
Hope that helps,
Andrew
I watched this presentation and read about the shib-cas-authenticator. Neat
stuff!
I have already configured Shibboleth IdP v2.3.8 to use CAS authentication as
described here:
https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration
(Install the CAS Client for Java, configure IdP to use the RemoteUser
LoginHandler).
After seeing your presentation, I commented out the PreviousSession
LoginHandler in handler.xml, thinking that all requests to the IdP would go
back to CAS. My goal was to have just a single SSO session rather than CAS +
Shibboleth SSO sessions.
However, it appears that the CAS Client for Java in the IdP is keeping the session
"alive". Even if I logout of CAS, I am not redirected to CAS for a new ST the
next time use the IdP. I assume the CAS Client for Java is storing my authenticated
state in the Jsession.
Any thoughts on this? Would setting useSession=false on the CAS Validation
Filter work? Can the CAS and Shibboleth sessions be bridged without using the
shib-cas-authenticator?
Thanks,
Andy
I tried setting useSession=false in Shibboleth's web.xml file. However,
that left me with an infinite loop of redirects when I tried to
authenticate! :)
"GET
/idp-dev/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fempcenter-dev2.ucsadm.oregonstate.edu
HTTP/1.1" 302 710
"GET /idp-dev/AuthnEngine HTTP/1.1" 302 389
"GET /idp-dev/Authn/RemoteUser HTTP/1.1" 302 357
"GET
/cas-dev/login?service=https%3A%2F%2Flogin.oregonstate.edu%2Fidp-dev%2FAuthn%2FRemoteUser
HTTP/1.1" 302 437
"GET
/cas-dev/serviceValidate?ticket=ST-2-ASl15bbRXGS3cf1fBPvL-login1&service=https%3A%2F%2Flogin.oregonstate.edu%2Fidp-dev%2FAuthn%2FRemoteUser
HTTP/1.1" 200 2797
"GET /idp-dev/Authn/RemoteUser?ticket=ST-2-ASl15bbRXGS3cf1fBPvL-login1
HTTP/1.1" 302 325
"GET /idp-dev/Authn/RemoteUser HTTP/1.1" 302 357
"GET
/cas-dev/login?service=https%3A%2F%2Flogin.oregonstate.edu%2Fidp-dev%2FAuthn%2FRemoteUser
HTTP/1.1" 302 437
"GET
/cas-dev/serviceValidate?ticket=ST-3-4grkT451LJjyZ6crtnIw-login1&service=https%3A%2F%2Flogin.oregonstate.edu%2Fidp-dev%2FAuthn%2FRemoteUser
HTTP/1.1" 200 602
"GET /idp-dev/Authn/RemoteUser?ticket=ST-3-4grkT451LJjyZ6crtnIw-login1
HTTP/1.1" 302 325
"GET /idp-dev/Authn/RemoteUser HTTP/1.1" 302 357
etc.
After that, I tried setting redirectAfterValidation=false, but then
Shibboleth gave me an error:
14:09:35.449 - ERROR
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:563] -
Authentication failed with the error:
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException: No user
identified by login handler.
Since that didn't work, I put the CAS client configuration back to
defaults (useSession=true, redirectAfterValidation=true). I tried setting
Shibboleth's session timeout from 30 minutes to 1 minute by changing
internal.xml's SessionManager. However, it doesn't seem to take effect in
the way I thought. I logged into Shibboleth/CAS, which fetched an ST from
CAS. After a few minutes, I logged into Shibboleth again, but it never
tried to fetch a new ST. I suppose that even if the Shibboleth session
was timed out, the CAS client still reused the session.
Is there a way to control the session timeout in the CAS Client for Java?
I see a setting for that in mod_auth_cas, but I haven't found anything for
the Java client.
Any other thoughts? Does anyone have this working? Should I give up and
use Unicon's shib-cas-authenticator?
Thanks,
Andy
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
