does this make sense as an administrative tool in CAS4?

Can you elaborate on the purpose and function of the administrative screens?  I was looking at the CAS4 wiki pages ( http://www.ja-sig.org/wiki/display/CAS4UM/ ) and didn’t notice any documentation talking about them.

Are they for A) Viewing state of currently running CAS instance, B) Changing runtime settings of live CAS instance, C) Changing startup settings of CAS instance, D) All of the above?

Thanks,
A-

On 6/26/09 1:36 PM, "Scott Battaglia" <scott.battaglia@...> wrote:

I'm working on some of the pieces required to support SAML2 in CAS4, including the generation of the appropriate IdP Meta Data automatically etc.

One of the optional components of the IdP meta data is Organizational information.  Does anyone feel like they would actually publish that?  If not we could leave it out of the auto-generated piece and it would mean less admin UI.  Those who want it can manually construct their IdP meta data.

Also, do we want a command line tool for creating the Public/Private Key pairs?  Doing it from some form of administrative screen means we'd most likely have a database requirement for that information.

Thoughts?

--
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400

-- 
You are currently subscribed to [hidden email] as: [hidden email]


To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

> One of the optional components of the IdP meta data is Organizational
> information.  Does anyone feel like they would actually publish that?

We don't publish any of that for our Shib/InCommon participation, and
wouldn't likely for CAS either.  From my experience, metadata
administration is a pain, so anything that can be done to facilitate
it would be helpful.  That said, requiring more work for optional
fields sounds fair.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

> do we want a command line tool for creating the Public/Private Key
> pairs?

Unless you wanted a pure Java solution to that need, there are already
good tools for that on major platforms; OpenSSL for *nix and the
certificate management MMC console on Windows.  We developed a CLI
tool for an open source Java crypto library we wrote, but that was
more for completeness than anything else.
(http://code.google.com/p/vt-middleware/wiki/vtcrypt#enc_-_Symmetric_Encryption_Operations).

If you wanted to make keypair generation painfully simple, I think the
only way you could top the platform-specific tools would be to provide
a tool in the CAS admin UI.  I would recommend omitting it and adding
it only in response to feature requests for simplified keypair
management.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

> Assuming then that we use a standard convention for the URL endpoints
> for the various profiles, that leave's the following to be configured:
> * Entity ID

InCommon just released the following notice about EntityID,
https://spaces.internet2.edu/display/InCCollaborate/IdP+entityID+Shift+to+URLs+--+FAQ,
where they recommended basing it on IDP URL.  In the case of CAS, this
could reasonably be the CAS root URL, e.g.
https://www.example.com/cas, which I would imagine you could derive
from other configuration data.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

I understand the scope of your question, but I was trying to go on a tangent about administrative screens and the need for a database as a whole.

 As there is no wiki documentation about what types of administration screens are being considered for CAS4, I thought it would be a good time to bring it up and explore them as that conversation might answer how to deal with your specific question.

I would be interested in hearing more about the topic if you have time to digress on the subject. =)

On 6/27/09 9:32 PM, "Scott Battaglia" <scott.battaglia@...> wrote:

The only thing I'm asking about is whether we need an administrative interface to store the data that's optional for SAML meta data, such as organization and stuff.  If people aren't really going to bother putting in that data then I won't make an interface for it.

I already have a tool to automatically generate the required meta data, it was just if I needed something to allow someone to enter the optional stuff.


On Fri, Jun 26, 2009 at 4:21 PM, Andrew Feller <afelle1@...> wrote:

Can you elaborate on the purpose and function of the administrative screens?  I was looking at the CAS4 wiki pages ( http://www.ja-sig.org/wiki/display/CAS4UM/ ) and didn’t notice any documentation talking about them.

Are they for A) Viewing state of currently running CAS instance, B) Changing runtime settings of live CAS instance, C) Changing startup settings of CAS instance, D) All of the above?

Thanks,
A-

On 6/26/09 1:36 PM, "Scott Battaglia" <scott.battaglia@... <http://scott.battaglia@...> > wrote:

I'm working on some of the pieces required to support SAML2 in CAS4, including the generation of the appropriate IdP Meta Data automatically etc.

One of the optional components of the IdP meta data is Organizational information.  Does anyone feel like they would actually publish that?  If not we could leave it out of the auto-generated piece and it would mean less admin UI.  Those who want it can manually construct their IdP meta data.

Also, do we want a command line tool for creating the Public/Private Key pairs?  Doing it from some form of administrative screen means we'd most likely have a database requirement for that information.

Thoughts?

--
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400

-- 
You are currently subscribed to [hidden email] as: [hidden email]


To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

Howdy folks,

In researching for our upgrade to CAS 3.x I'm looking to put some backwards
compatibility into our implementation for some custom modifications made in
our CAS2.x implementation.

For a few particular applications, we added an optional parameter into
serviceValidate and proxyValidate that allowed for the return of the
expiration time of the cas credentials. This modification was somewhat
involved and required a large amount of class modification.

For our CAS3.x rollout, we'd like to stay away from major modifications such
as this, but I wanted to bounce the idea off the list to see if there was
any straightforward methods to do something similar. Peeking into the code,
and being only mildly familiar with Spring, I'm not seeing this as of yet.
It's looking like a large amount of class modification. Not implementing
this mod will push back our upgrade till some other systems are dealt with,
which is not the issue, but I would like to see what the dev list has to say
about this type of modification, or if anyone has implemented something
similar.

Thanks much,
--
Raymond Walker
Software Systems Engineer Sr.
ITS Northern Arizona University
[hidden email]
Phone 928-523-0334



--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

Scott,

Apologies, I was unclear with this. Essentially our modification found the
expiration of the beginning of the ticket chain.

On 7/6/09 8:26 AM, "Scott Battaglia" <[hidden email]> wrote:

> Can you clarify what you mean by "CAS credentials" because in your title you
> talk about returning ticket expiration time (TGT, ST, PT, etc?)
>
>
> On Mon, Jul 6, 2009 at 11:20 AM, Raymond D Walker <[hidden email]> wrote:
>> Howdy folks,
>>
>> In researching for our upgrade to CAS 3.x I'm looking to put some backwards
>> compatibility into our implementation for some custom modifications made in
>> our CAS2.x implementation.
>>
>> For a few particular applications, we added an optional parameter into
>> serviceValidate and proxyValidate that allowed for the return of the
>> expiration time of the cas credentials. This modification was somewhat
>> involved and required a large amount of class modification.
>>
>> For our CAS3.x rollout, we'd like to stay away from major modifications such
>> as this, but I wanted to bounce the idea off the list to see if there was
>> any straightforward methods to do something similar. Peeking into the code,
>> and being only mildly familiar with Spring, I'm not seeing this as of yet.
>> It's looking like a large amount of class modification. Not implementing
>> this mod will push back our upgrade till some other systems are dealt with,
>> which is not the issue, but I would like to see what the dev list has to say
>> about this type of modification, or if anyone has implemented something
>> similar.
>>
>> Thanks much,
>> --
>> Raymond Walker
>> Software Systems Engineer Sr.
>> ITS Northern Arizona University
>> [hidden email]
>> Phone 928-523-0334
>>
>>
>>
>> --
>> You are currently subscribed to [hidden email] as:
>> [hidden email]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-dev
>>

--

You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

Scott,

In reviewing this, I do not believe we can get a valid expiration time
for the user's authentication via the suggested method. I also believe
the title might now be considered misleading as we're looking for a
user's credential expiration time, not necessarily a ticket expiration
time.

In our setup we are using the default ticket expiration policy (2hr).

In modifying the casServiceValidation.jsp to extract the Dates from
the Authentication list, also have exposed the "root" which contains
the initial Authentication time for the user. This time seems to never
change.

For example:

3:00pm
cas/login?service=serviceA

On validation, this gives us an Authentication List with the root
authentication time of 3:00pm. The idea is to do math on this time
(user valid till 5pm,) which makes sense.

4:00pm
cas/login?service=serviceB

On validation, this gives us an Authentication List with the root
authentication time of 3:00pm (with no other nodes.) We would not be
able to correctly do math on this time, since they're valid till
6:00pm and are able to login to new and existing services without re-
authenticaiton until 6:00pm.

In reviewing the other ticket expiration policies, I do not see a
policy which would modify this time. I'm curious if we're just looking
in the wrong direction to acquire a user's expiration time. Any ideas?

Raymond Walker
Software Systems Engineer Sr.
ITS Northern Arizona University

On Jul 7, 2009, at 7:26 PM, Scott Battaglia wrote:

> Raymond,
>
> To our JSP that generates the CAS response, we expose an Assertion
> object:
> https://www.ja-sig.org/svn/cas3/trunk/cas-server-core/src/main/java/org/jasig/cas/validation/Assertion.java
>
> While it doesn't have the expiration times explicitly, it does have
> the authentication objects which contain the time when they were
> created:
> https://www.ja-sig.org/svn/cas3/trunk/cas-server-core/src/main/java/org/jasig/cas/authentication/Authentication.java
>
> which could allow you to construct your expiration time.
>
> The only thing you'd modify is the JSP page.
>
> Cheers,
> Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Mon, Jul 6, 2009 at 11:35 AM, Raymond D Walker
> <[hidden email]> wrote:
> Scott,
>
> Apologies, I was unclear with this. Essentially our modification
> found the
> expiration of the beginning of the ticket chain.
>
>
> On 7/6/09 8:26 AM, "Scott Battaglia" <[hidden email]>
> wrote:
>
> > Can you clarify what you mean by "CAS credentials" because in your
> title you
> > talk about returning ticket expiration time (TGT, ST, PT, etc?)
> >
> >
> > On Mon, Jul 6, 2009 at 11:20 AM, Raymond D Walker <[hidden email]
> > wrote:
> >> Howdy folks,
> >>
> >> In researching for our upgrade to CAS 3.x I'm looking to put some
> backwards
> >> compatibility into our implementation for some custom
> modifications made in
> >> our CAS2.x implementation.
> >>
> >> For a few particular applications, we added an optional parameter
> into
> >> serviceValidate and proxyValidate that allowed for the return of
> the
> >> expiration time of the cas credentials. This modification was
> somewhat
> >> involved and required a large amount of class modification.
> >>
> >> For our CAS3.x rollout, we'd like to stay away from major
> modifications such
> >> as this, but I wanted to bounce the idea off the list to see if
> there was
> >> any straightforward methods to do something similar. Peeking into
> the code,
> >> and being only mildly familiar with Spring, I'm not seeing this
> as of yet.
> >> It's looking like a large amount of class modification. Not
> implementing
> >> this mod will push back our upgrade till some other systems are
> dealt with,
> >> which is not the issue, but I would like to see what the dev list
> has to say
> >> about this type of modification, or if anyone has implemented
> something
> >> similar.
> >>
> >> Thanks much,
> >> --
> >> Raymond Walker
> >> Software Systems Engineer Sr.
> >> ITS Northern Arizona University
> >> [hidden email]
> >> Phone 928-523-0334
> >>
> >>
> >>
> >> --
> >> You are currently subscribed to [hidden email] as:
> >> [hidden email]
> >> To unsubscribe, change settings or access archives, see
> >> http://www.ja-sig.org/wiki/display/JSG/cas-dev
> >>
>
>
> --
> You are currently subscribed to [hidden email] as: [hidden email]
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
>
>

> --
> You are currently subscribed to [hidden email] as: [hidden email]

> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev


--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev