> It seens their DNS does not resolve correctly > at the VPN, so consequently they cannot establish HTTPS connectivity to my > CAS server due to the FQDN differences.
The best way to handle this is by hooking the HostnameVerifier used to establish the SSL connection and provide a custom implementation that works in your environment. You'd need to do some Java development to accommodate this situation, but it should be straightforward. > Can I configure CAS to allow > this callback to execute over HTTP? I see in the > HttpBasedServiceCredentialsAuthenticationHandler the 'requiredSecure' field > defaulting to 'true'. If I wire this to 'false' would that allow HTTP > communications with CAS? Yes, though the assurance of the identity of the proxying endpoint is based on relatively weak DNS information instead of the PKI trust validation mechanism you get with SSL. (There are lots of ways to render PKI validation meaningless, but when implemented properly it is fundamentally more secure than even DNSSEC and DNS in particular.) You should carefully consider the security requirements of your SSO environment before you proceed with this strategy. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
