Hi, I just created CAS-1366. It might be too early to go further on this topic, but my thinking was that user authentications and proxy authentications were completely decoupled. Whenever happens the proxy authentication, I was considering that the PGT is equivalent to the CASTGC (it represents the authenticated user) and therefore any interaction regarding proxies would occur considering all user authentications ever happened. I might be wrong on this assertion though, but it helps to have an easy model for authentications. Best regards, Jérôme
2013/10/7 Marvin S. Addison <[email protected]> > An easy fix would be no to returned /supplementalAuthentications/ with >> /chainedAuthentications/ just to keep the use of these >> /supplementalAuthentications/ where it needs to be : with supplemental >> credentials [1] and to check if the policy is satisfied [2]. >> > > That sounds reasonable. > > Are we in line ? So I can open a JIRA and propose the change. >> > > Please proceed. I will carefully review any commits related to the issue > to make sure we fix the bug as well as support the MFA case I outlined. > > Thus, I'm wondering if the right split for a future version would be to >> have /userAuthentications/ on one side (the first authentication of the >> current /chainedAuthentications/ and all /supplementalAuthentications/) >> and /proxyAuthentications/ on the other side (the other authentications >> of the /chainedAuthentications/). What do you think ? >> > > I think my head just exploded. I think that sounds reasonable, but you > might need to draw it out so we're communicating clearly. I believe your > proposal would support proxying for both the initial authentication as well > as supplemental authentications, which seems like an extremely complicated > use case. I certainly didn't have that case in mind for CAS 4.0, but it may > be one that we want to support. > > Pax, > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/**display/JSG/cas-dev<http://www.ja-sig.org/wiki/display/JSG/cas-dev> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
