Tip | ||
---|---|---|
| ||
ClearPass is becoming a more standardized, packaged CAS extension, now with an entry in the CAS user manual. |
Purpose
To enable single sign-on into some legacy application it may be necessary to provide them with the actual cleartext password. While such approach inevitably increases security risk, a number of institutions found it to be a "necessary evil". This page describes a solution by Unicon for Sacramento State.
...
A service may obtain cleartext credentials for an authenticated user by presenting a valid proxy ticket obtained specifically for the CAS cleartext extension service end-point (ClearPass). The specific sequence of calls is shown in a diagram below:
Until the last two steps, only standard CAS protocols are involved. The two steps involve request/response interaction between uPortal and a newly introduced CAS ClearPass service to obtain the cleartext credentials. The request follows the same syntax as standard CAS proxy ticket validation request (typically configured under /proxyValidate path), except that the service endpoint is different (/clearPass in default configuration). Upon receiving the request, ClearPassController ensures that the following validation criteria are met:
...
Implementation
The code is available in the JA-SIG Jasig SVN repository. The reference implementation also includes modifications to uPortal CAS client necessary to take advantage of the new feature.
...
Installation and required configuration changes
CAS extensions
Tip | ||
---|---|---|
| ||
CAS extensions are packaged as a maven2 patch on top of CAS 3.2.1.
...