Am 05.07.13 16:26, schrieb Marvin S. Addison:
Can you give an example of what you mean with "various policies"?
The CAS service manager ships with the ability to explicitly deny
proxy capability to registered services. We make healthy use of this
feature at Virginia Tech. I'm sure I could invent additional policies
if pressed.
IIUC you control CAS, but you don't control the implementation of the
registered services, right?
In practice you control both, since registered service components are
part of the CAS server. In order to implement additional proxy
authentication controls, one strategy would be to add additional
registered service metadata that is enforced by other CAS components.
are your refering to services as described in chapter 7 of
http://www.unicon.net/files/cas-server-3-4-11-snapshot-manual.pdf
?
I have started to implement the proxying according to
https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough
and I made it so far to step four, which means I am able to retrieve a
"pgt Id", but when asking for the proxy ticket, e.g.
https://127.0.0.1:7443/cas-server-webapp-3.5.2/proxy?pgt=TGT-19-3QQLN7TXfzsiqO21Gq47YtivVYEtJaqBytEqKMeTupyv3XbR4E-cas01.example.org&targetService=TODO
then I receive the following reply from CAS:
<?xml version="1.0" encoding="UTF-8"?><cas:serviceResponse
xmlns:cas="http://www.yale.edu/tp/cas";>
<cas:proxyFailure code="UNAUTHORIZED_SERVICE">
UNAUTHORIZED_SERVICE_PROXY
</cas:proxyFailure>
</cas:serviceResponse>
Is that because I need to register my service "TODO"?
Thanks again for your help
Michael
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
