For info, I'm now using this (until the config in confluence is
corrected), which seems to work fine (and I'm still using the default
OpenIdUserNameExtractor):
<action-state id="initialFlowSetup">
<action bean="initialFlowSetupAction" />
<transition on="success" to="selectFirstAction" />
</action-state>
<decision-state id="selectFirstAction">
<if test="$
{externalContext.requestParameterMap['openid.trust_root'] != ''
&& externalContext.requestParameterMap['openid.trust_root'] !=
null}"
then="openIdSingleSignOnAction"
else="ticketGrantingTicketExistsCheck" />
</decision-state>
<action-state id="openIdSingleSignOnAction">
<action bean="openIdSingleSignOnAction" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="viewLoginForm" />
<transition on="warn" to="warn" />
</action-state>
Regards,
Kevin
On 21 Jan 2008, at 18:45, Scott Battaglia wrote:
I think you're right. It should throw an error if the principals
don't match and force you to log in again. Not sure how the
configuration got put into confluence wrong.
-Scott
On Jan 21, 2008 12:52 PM, Sewell K H (LCSS) <[EMAIL PROTECTED]>
wrote:
Can't rely on me, sorry, I don't really know what I'm doing yet.
I found that if a user has already authenticated with CAS (say, via
mod_auth_cas), and then revisits the CAS server via an OpenID
relying party, the CAS server will verify any URL.
I guessed that this is because the Principals are different (so
"error" in the openIdSingleSignOnAction), and so
"ticketGrantingTicketExistsCheck", which will exist as a user has
already authenticated (?). I'm not familiar with webflow though, so
I don't know if the problem is further on down, e.g.,
"renewRequestCheck".
Anyway, eventually the user should probably re-authenticate
("viewLoginForm") if the Principals are different. Also, all the
other "error"s in login-webflow.xml are "viewLoginForm".
Cheers,
Kevin
On 21 Jan 2008, at 16:30, Scott Battaglia wrote:
You're definitely right about the incorrect
CredentialsToPrincipalResolver. I've updated our wiki about that.
I can't recall the other thing off the top of my head and I'm not
set up to test it right now. I'm guessing you have?
-Scott
On Jan 21, 2008 10:52 AM, Sewell K H (LCSS) <[EMAIL PROTECTED]>
wrote:
Hi,
I've read and followed http://www.ja-sig.org/wiki/display/CASUM/OpenID
.
I'm a bit of a noob, so could you confirm that this:
<action-state id="openIdSingleSignOnAction">
<action bean="openIdSingleSignOnAction" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="ticketGrantingTicketExistsCheck" />
<transition on="warn" to="warn" />
</action-state>
is supposed to be, or is more properly:
<action-state id="openIdSingleSignOnAction">
<action bean="openIdSingleSignOnAction" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="viewLoginForm" />
<transition on="warn" to="warn" />
</action-state>
and this:
<bean
class
=
"org
.jasig
.cas
.support
.openid
.authentication.principal.OpenIdCredentialsAuthenticationHandler" />
is supposed to be:
<bean
class
=
"org
.jasig
.cas
.support
.openid
.authentication.principal.OpenIdCredentialsToPrincipalResolver" />
Thanks,
Kevin
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
