...
| No Format |
|---|
Login:
what authn is okay?
gateway? renew? remote user? auth types (cert, kerb, etc.)?
"service"
Validate: "opt into SAML"
/samlValidate
POST
SAML Request:
ticket
what attributes are desired?
[access control] rule
SAML Response:
netid, renew, "service",
how, attribs, perms (boolean) [access control rule satisfied?],
PGT
|
| Panel |
|---|
| title | attributes on the requests in the CAS protocol |
|---|
|
| Note |
|---|
| Login includes advisory attributes that help CAS to present its end user experience. These attributes must not have security implications because they are succeptible to end user manipulation (are passed through a redirect on the user's web browser). |
| Note |
|---|
| Validate includes attributes. |
|
The discussion then turned to a local "strong" PKI database. For a PKI to be secure and useful, certificates must be issued by a trusted source that actually verifies recipients and does not hand out certificates carelessly.