Kevin,
Would you mind correcting this in Confluence? If you create an account, you
should have the ability to edit that page.
Thanks!
-Scott
On Jan 23, 2008 8:20 AM, Sewell K H (LCSS) <[EMAIL PROTECTED]> wrote:
> For info, I'm now using this (until the config in confluence is
> corrected), which seems to work fine (and I'm still using the
> default OpenIdUserNameExtractor):
> <action-state id="initialFlowSetup">
> <action bean="initialFlowSetupAction" />
> <transition on="success" to="selectFirstAction" />
> </action-state>
>
> <decision-state id="selectFirstAction">
> <if test="${externalContext.requestParameterMap['openid.trust_root']
> != '' && externalContext.requestParameterMap['openid.trust_root']
> != null}"
> then="openIdSingleSignOnAction"
> else="ticketGrantingTicketExistsCheck" />
> </decision-state>
>
> <action-state id="openIdSingleSignOnAction">
> <action bean="openIdSingleSignOnAction" />
> <transition on="success" to="sendTicketGrantingTicket" />
> <transition on="error" to="viewLoginForm" />
> <transition on="warn" to="warn" />
> </action-state>
>
> Regards,
> Kevin
>
> On 21 Jan 2008, at 18:45, Scott Battaglia wrote:
>
> I think you're right. It should throw an error if the principals don't
> match and force you to log in again. Not sure how the configuration got put
> into confluence wrong.
>
> -Scott
>
> On Jan 21, 2008 12:52 PM, Sewell K H (LCSS) <[EMAIL PROTECTED]> wrote:
>
> > Can't rely on me, sorry, I don't really know what I'm doing yet.
> > I found that if a user has already authenticated with CAS (say, via
> > mod_auth_cas), and then revisits the CAS server via an OpenID relying party,
> > the CAS server will verify any URL.
> >
> > I guessed that this is because the Principals are different (so "error"
> > in the openIdSingleSignOnAction), and so "ticketGrantingTicketExistsCheck",
> > which will exist as a user has already authenticated (?). I'm not familiar
> > with webflow though, so I don't know if the problem is further on down,
> > e.g., "renewRequestCheck".
> >
> > Anyway, eventually the user should probably re-authenticate
> > ("viewLoginForm") if the Principals are different. Also, all the other
> > "error"s in login-webflow.xml are "viewLoginForm".
> >
> > Cheers,
> > Kevin
> >
> >
> > On 21 Jan 2008, at 16:30, Scott Battaglia wrote:
> >
> > You're definitely right about the incorrect
> > CredentialsToPrincipalResolver. I've updated our wiki about that. I can't
> > recall the other thing off the top of my head and I'm not set up to test it
> > right now. I'm guessing you have?
> >
> > -Scott
> >
> > On Jan 21, 2008 10:52 AM, Sewell K H (LCSS) <[EMAIL PROTECTED]> wrote:
> >
> > > Hi,
> > >
> > > I've read and followed http://www.ja-sig.org/wiki/display/CASUM/OpenID
> > > .
> > >
> > > I'm a bit of a noob, so could you confirm that this:
> > >
> > > <action-state id="openIdSingleSignOnAction">
> > > <action bean="openIdSingleSignOnAction" />
> > > <transition on="success" to="sendTicketGrantingTicket" />
> > > <transition on="error" to="ticketGrantingTicketExistsCheck" />
> > > <transition on="warn" to="warn" />
> > > </action-state>
> > >
> > > is supposed to be, or is more properly:
> > >
> > > <action-state id="openIdSingleSignOnAction">
> > > <action bean="openIdSingleSignOnAction" />
> > > <transition on="success" to="sendTicketGrantingTicket" />
> > > <transition on="error" to="viewLoginForm" />
> > > <transition on="warn" to="warn" />
> > > </action-state>
> > >
> > > and this:
> > >
> > > <bean
> > > class
> > > =
> > > "org
> > > .jasig
> > > .cas
> > > .support
> > > .openid
> > > .authentication.principal.OpenIdCredentialsAuthenticationHandler" />
> > >
> > > is supposed to be:
> > >
> > > <bean
> > > class
> > > =
> > > "org
> > > .jasig
> > > .cas
> > > .support
> > > .openid
> > > .authentication.principal.OpenIdCredentialsToPrincipalResolver" />
> > >
> > > Thanks,
> > > Kevin
> > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > [email protected]
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> >
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn:
> > http://www.linkedin.com/in/scottbattaglia_______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
