Kevin,

Would you mind correcting this in Confluence?  If you create an account, you
should have the ability to edit that page.

Thanks!
-Scott

On Jan 23, 2008 8:20 AM, Sewell K H (LCSS) <[EMAIL PROTECTED]> wrote:

> For info, I'm now using this (until the config in confluence is
> corrected), which seems to work fine (and I'm still using the
> default OpenIdUserNameExtractor):
> <action-state id="initialFlowSetup">
>     <action bean="initialFlowSetupAction" />
>     <transition on="success" to="selectFirstAction" />
> </action-state>
>
> <decision-state id="selectFirstAction">
>     <if test="${externalContext.requestParameterMap['openid.trust_root']
> != '' &amp;&amp; externalContext.requestParameterMap['openid.trust_root']
> != null}"
>         then="openIdSingleSignOnAction"
>         else="ticketGrantingTicketExistsCheck" />
> </decision-state>
>
> <action-state id="openIdSingleSignOnAction">
>     <action bean="openIdSingleSignOnAction" />
>     <transition on="success" to="sendTicketGrantingTicket" />
>     <transition on="error" to="viewLoginForm" />
>     <transition on="warn" to="warn" />
> </action-state>
>
> Regards,
> Kevin
>
> On 21 Jan 2008, at 18:45, Scott Battaglia wrote:
>
> I think you're right.  It should throw an error if the principals don't
> match and force you to log in again.  Not sure how the configuration got put
> into confluence wrong.
>
> -Scott
>
> On Jan 21, 2008 12:52 PM, Sewell K H (LCSS) <[EMAIL PROTECTED]> wrote:
>
> > Can't rely on me, sorry, I don't really know what I'm doing yet.
> > I found that if a user has already authenticated with CAS (say, via
> > mod_auth_cas), and then revisits the CAS server via an OpenID relying party,
> > the CAS server will verify any URL.
> >
> > I guessed that this is because the Principals are different (so "error"
> > in the openIdSingleSignOnAction), and so "ticketGrantingTicketExistsCheck",
> > which will exist as a user has already authenticated (?). I'm not familiar
> > with webflow though, so I don't know if the problem is further on down,
> > e.g., "renewRequestCheck".
> >
> > Anyway, eventually the user should probably re-authenticate
> > ("viewLoginForm") if the Principals are different. Also, all the other
> > "error"s in  login-webflow.xml are "viewLoginForm".
> >
> > Cheers,
> > Kevin
> >
> >
> > On 21 Jan 2008, at 16:30, Scott Battaglia wrote:
> >
> > You're definitely right about the incorrect
> > CredentialsToPrincipalResolver.  I've updated our wiki about that.  I can't
> > recall the other thing off the top of my head and I'm not set up to test it
> > right now. I'm guessing you have?
> >
> > -Scott
> >
> > On Jan 21, 2008 10:52 AM, Sewell K H (LCSS) <[EMAIL PROTECTED]> wrote:
> >
> > > Hi,
> > >
> > > I've read and followed http://www.ja-sig.org/wiki/display/CASUM/OpenID
> > > .
> > >
> > > I'm a bit of a noob, so could you confirm that this:
> > >
> > > <action-state id="openIdSingleSignOnAction">
> > >        <action bean="openIdSingleSignOnAction" />
> > >        <transition on="success" to="sendTicketGrantingTicket" />
> > >        <transition on="error" to="ticketGrantingTicketExistsCheck" />
> > >        <transition on="warn" to="warn" />
> > >     </action-state>
> > >
> > > is supposed to be, or is more properly:
> > >
> > > <action-state id="openIdSingleSignOnAction">
> > >         <action bean="openIdSingleSignOnAction" />
> > >         <transition on="success" to="sendTicketGrantingTicket" />
> > >         <transition on="error" to="viewLoginForm" />
> > >         <transition on="warn" to="warn" />
> > > </action-state>
> > >
> > > and this:
> > >
> > > <bean
> > > class
> > > =
> > > "org
> > > .jasig
> > > .cas
> > > .support
> > > .openid
> > > .authentication.principal.OpenIdCredentialsAuthenticationHandler" />
> > >
> > > is supposed to be:
> > >
> > > <bean
> > > class
> > > =
> > > "org
> > > .jasig
> > > .cas
> > > .support
> > > .openid
> > > .authentication.principal.OpenIdCredentialsToPrincipalResolver" />
> > >
> > > Thanks,
> > > Kevin
> > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > [email protected]
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> >
> >
> >
> > --
> > -Scott Battaglia
> >
> >  LinkedIn: 
> > http://www.linkedin.com/in/scottbattaglia_______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>


-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to