CasLoginHandler: honor authenticationMethod?

[mmoayyed]

Does the CAS login handler honor the authentication method specified in the config? what is the method used?

Seems like PasswordProtected is being passed to the SP, while unspecified is used by the handler somehow?

[chasegawa]

We probably need to get feedback from someone more Shib savy here. All the documentation I could find on building a custom handler for Shib to CAS said to create the Login handler with urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified in the (required) AuthenticationMethod block. This means that the IDP can respond with whatever form it likes. We might need to expand the handler.xml example to include the other supported - external, password protected, previous session, etc. I'm not sure the impact nor correctness here, so I'll post this to the Unicon IAM list and see what turns up.

[mmoayyed]

@chasegawa were you ever able to post this message out to the list? I cant recall the context.

At any rate, I think we should honor whatever the method is configured in the handler.xml. By default, it may be urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified but if needed, the handler should be able to take a look at what's configured and use that method.

[chasegawa]

I'm trying to get further clarification - it seems as though that metadata is used by Shib to determine what LoginHandler(s) to use when asked to authenticate. If that is the case, then this is just a documentation issue - we want to update the documentation so that configuration of the LoginHandler shows everything that this supports with CAS.