| Tip | ||
|---|---|---|
| ||
ClearPass is becoming a more standardized, packaged CAS extension, now with an entry in the CAS user manual. |
Purpose
To enable single sign-on into some legacy application it may be necessary to provide them with the actual cleartext password. While such approach inevitably increases security risk, a number of institutions found it to be a "necessary evil". This page describes a solution by Unicon for Sacramento State.
...
A service may obtain cleartext credentials for an authenticated user by presenting a valid proxy ticket obtained specifically for the CAS cleartext extension service end-point (ClearPass). The specific sequence of calls is shown in a diagram below:
Until the last two steps, only standard CAS protocols are involved. The two steps involve request/response interaction between uPortal and a newly introduced CAS ClearPass service to obtain the cleartext credentials. The request follows the same syntax as standard CAS proxy ticket validation request (typically configured under /proxyValidate path), except that the service endpoint is different (/clearPass in default configuration). Upon receiving the request, ClearPassController ensures that the following validation criteria are met:
...
The code is available in the JA-SIG Jasig SVN repository. The reference implementation also includes modifications to uPortal CAS client necessary to take advantage of the new feature.
...
Installation and required configuration changes
CAS extensions
| Tip | ||
|---|---|---|
| ||
CAS extensions are packaged as a maven2 patch on top of CAS 3.2.1.
...