--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
I don't think this is going to work.
> pgtUrl=https://192.168.1.242:8443/test.html
You'll need to identify 192.168.1.242 by a hostname that its SSL certificate authenticates, so that when CAS attempts to itself do an HTTPS GET request to that URL it is able to successfully validate the SSL certificate. Currently CAS isn't coping with the SSL handshake with that callback URL, such that the callback is failing. Since CAS failed to vend a pgtIou, pgtId pair to that URL, it doesn't include the PGTIOU in the /cas/serviceValidate response.
You can either use a hostname and an SSL cert that authenticates that hostname, or you can disable the HTTPS requirement and exercise the whole thing over HTTP (for demo purposes only, since not using HTTPS is terribly insecure, of course).
Kind regards,
Andrew
> You are currently subscribed to cas-...@lists.jasig.org as: ape...@unicon.net
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
> <cas.log>
You are currently subscribed to cas-...@lists.jasig.org as: nightsta...@gmail.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
We may want to consider adding HostnameVerifier hooks to the proxy
callback. While this particular use case isn't something we'd be
interested in supporting, I can imagine that there could be valid
needs for more flexible hostname verification techniques on SSL
connections. For example, wildcard certificates that apply to
subdomains is one that comes to mind. (JSSE by default only supports
wildcards in the same domain scope.)
M
Auninda,
This is a discussion of using the CAS software, rather than developing the CAS software. It would therefore be more appropriate to conduct this conversation on cas-user@, rather than on cas-dev@.
Your use case does not require proxy tickets.
Proxy tickets are applicable when an application needs to itself, on behalf of the end user, authenticate to a backing service. If Drupal needed to itself authenticate to Koha to go get some XML representing my library subscriber account, using this to inform a UI presented by Drupal, that would be a use case for Drupal to use Proxy CAS to authenticate to Koha.
Your use case requires only service tickets and applications appropriately configured to require/accept CAS service tickets.
If users are going to Koha from Drupal, then in Drupal try making your hyperlinks to Koha go through CAS login, as in
https://cas.example.com/login?service=https://koha.example.com/somepath
When users click these links, they're go to CAS, which will recognize their CAS SSO session, and send them on to Koha with a valid service ticket on the URL. So long as that Koha URL is configured to accept that CAS service ticket, ta da! Users experience single sign on in navigating from Drupal to Koha.
If users are going to Koha directly, then try making the URL they access require CAS login. If they already have a CAS SSO session, CAS will redirect them back immediately with a valid ticket. If not, they'll have to log in.
If having to log in is unacceptable (you'd like to instead display a no-authentication-required guest page in the case where they're not yet logged in), then try the CAS gateway feature.
Your use case does not require proxy tickets.
Kind regards,
Andrew
On Dec 20, 2011, at 8:36 AM, Auninda Rumy Saleque wrote:
> Thankx for the replies guys. yes, i do know the error is being caused for some certificate validation failure but i am not sure how to avoid it. well http is not an option for me coz i need the single sign on to work properly. at the moment cas is working fine with drupal and koha(a web based library management system). only trouble is, if someone logs inside drupal using cas, he/she needs to click the login button again inside koha for logging in there, though no user/pass is required in that stage. so to avoid such situation, i am trying to work out the proxy granting ticket option and i am stuck with this right now. i did try making a certificate based on my hostname and adding it to the truststore, but in that case, the log error message tells me that there is no valid certificate found for the path. still i will try it out again tomorrow. i am not sure if i am getting these errors cause of my local ip/host names though.
>
> Regards,
> Auninda
>
--
You are currently subscribed to cas...@lists.jasig.org as: nightsta...@gmail.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
> I don't think this is going to work.We may want to consider adding HostnameVerifier hooks to the proxy
>
>> pgtUrl=https://192.168.1.242:8443/test.html
>
> You'll need to identify 192.168.1.242 by a hostname that its SSL certificate authenticates, so that when CAS attempts to itself do an HTTPS GET request to that URL it is able to successfully validate the SSL certificate.
callback. While this particular use case isn't something we'd be
interested in supporting, I can imagine that there could be valid
needs for more flexible hostname verification techniques on SSL
connections. For example, wildcard certificates that apply to
subdomains is one that comes to mind. (JSSE by default only supports
wildcards in the same domain scope.)
M
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user