> I did some debugging here : > https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java/org/jasig/cas/CentralAuthenticationServiceImpl.java#L451. > At that point, the modifiedPrincipal is good (anonymous identifier and no > attributes) but the first principal of the chained authentications is with a > real identifier and all attributes.
We probably need both a canonical principal name, which could simply be that resolved by the PrinicpalResolver, and the set of authentications as seen by clients. I believe the intent is for chained authentications to reflect the latter, but I'm uncertain we have a slot for the former. > Is this the expected behaviour ? To keep the "real" principal in the chained > authentications of the TGT ? I don't think so. We should record the view of data sent to the clients in the chained authentications. > Shouldn't we use the primary authentication here ? We should use whatever provides the data that would be expected by the service manager, namely anonymized principal and no attributes. That should have been computed and stored upstream, no? M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
