On Tue, 19 Mar 2013, Michael Easthope wrote:
Hi,
Has anyone got any experience in securing access to /samlValidate to share?
We are going to be using /samlValidate to return user attributes to whitelisted
CAS client sites (and hopefully mobile applications) and I'm interested in
how other people have secured access to /samlValidate.
A little bit of web searching shows me that Princeton uses an SSL callback
to authenticate its web apps (
https://sp.princeton.edu/oit/sdp/CAS/Wiki%20Pages/CAS%20samlValidate%20walkthrough.aspx
).
I don't think this would work for a mobile app where there is no appropriate
URL to attach the SSL callback to?
I'm considering two approaches:
1) Make access to samlValidate dependent on the application itself being
able to authenticate as a separate CAS user. This seems like the best
approach in theory - but the implementation seems very complex for all the
client sites and applications. I'd like to keep the client experience as
standard as possible so developers can just use the standard CAS libraries
and plugins.
2) Just issuing secret keys to the applications and making the key a part
of the /samlValidate URL. This seems simpler but it is not ideal because
(amongst other problems) there is no easy way to update them if they are
discovered.
Any suggestions?
In order to successfully call /samlValidate, the CAS client must present a
valid Service Ticket. Is there a reason this is not sufficient security?
I'm not sure why Princeton added an SSL callback.
Andy
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
