Skip to content
This repository has been archived by the owner on Oct 24, 2020. It is now read-only.

AuthenticationInstant from CAS to Shib #13

Open
mmoayyed opened this issue Sep 16, 2014 · 8 comments
Open

AuthenticationInstant from CAS to Shib #13

mmoayyed opened this issue Sep 16, 2014 · 8 comments
Labels
bug enhancement

Comments

@mmoayyed
Copy link

Is it possible for the CAS Callback Servlet to pass the authentication instant from CAS back to Shib? With this integration, it appears that Shib wouldf be forced to incorrectly note the instant because that value is calculated when the assertion is formed rather than taken from CAS payload.
@chasegawa
Copy link
Contributor

Looks like we just add LoginHandler.AUTHENTICATION_INSTANT_KEY to the request - do we want to set the assertion.getValidFromDate() ?

Also unsure what format Shib is expecting.

@chasegawa
Copy link
Contributor

Not great code nor good documentation. It looks like https://github.com/sitya/java-idp/blob/master/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java is expecting a Joda DataTime object.

(You'd think if you are going to do this, you'd document that the key is expecting a specific type of object. They do not do that, neither do they CHECK when they try to cast the object, so if you stuck anything else but a DateTime object in, you should end up with an exception in Shib).

@mmoayyed
Copy link
Author

Ouch.

Are we sure that class is accurate? I guess I am a little confused by the sitya reference.

At any rate, seems like we should new up a DateTime object. As for the call on assertion, that is even trickier. CAS does not return the authentication instant as part its payload until CAS 4 where the protocol was revved. The client does not support parsing that yet. So perhaps, the first leg of this pull would be make sure that support exists with the client.

@mmoayyed
Copy link
Author

Relevant: https://issues.jasig.org/browse/CASC-217

@chasegawa
Copy link
Contributor

Good call - I wasn't paying any attention to the code link I posted above.
In fact, the code from SVN - http://svn.shibboleth.net/view/java-shib-idp2/trunk/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java?view=markup

From what I see there, The LoginContext holds the authentication instant and I don't have access to that - it looks like a Shib process is setting that. I don't actually see a way to tell Shib to use a specific time.

@mmoayyed
Copy link
Author

Digging into this a bit more, it seems like you should obtain the the LC and set the authn instant on it:

LoginContext loginContext = (LoginContext) httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);

LC should also allow you to set the authn method as well.

@chasegawa
Copy link
Contributor

Does the CAS client support finding out what version of CAS was used or how would we go about knowing?

How does CASC-217 relate?

@mmoayyed
Copy link
Author

The validator class you use with the client indicates the protocol version; there are different validators for each version. Right now, the client does not have support for the most recent version of the protocol that returns attributes and the authn instant, so CAS-217 is the JIRA that proposes to have that added to the client.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mmoayyed @chasegawa