Hi, I am working on enable openid for cas. Now, I can make the CAS retrieve the openid request and pass the authencation. Since the cas is working on the dumb mode. And I just construct the request by setting openid.mode="checkid_immediate" openid.return_to="http://allenpc:3000/soid/back.jsp"; openid.identity="http://open.scut.edu/allen";
the I just post the request by submiting a form with post method. And the CAS identified the openid and extract the username "allen", and the login form for cas is promoted. After user allen login successfully, the cas return following request infomation: openid.signed identity,return_to openid.assoc_handle ST-2-IVG2I1oalBrRtTMLypNa-cas openid.identity http://open.scut.edu/allen openid.return_to http://allenpc:3000/soid/back.jsp openid.mode id_res openid.sig ER00UaIvP4CQGdbPsuyg0NZjfz0= then I use the openid.mode=check_authentication to check the response is valid. Then I get the following: openid.mode:id_res is_valid:true My question is that the method I used is not so secure for the openid relying party to trust the cas authentication. Have any way to make it more safe? Something like CAS use SSL to send the TGC to the user? What's more, the org.jasig.cas.support.openid.authentication.handler.support.OpenIdCredentialsAuthenticationHandler and org.jasig.cas.support.openid.authentication.principal.OpenIdCredentialsToPrincipalResolver seems never work, only the SimpleTestUsernamePasswordAuthenticationHandler works for the login authentication. I follow exactly the wiki instruction to config, so I don't get it why it happens. Thank you in advance! Allen Chen 2008-03-26
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
