CAS 5.3.x [SAML] + [Attribute Consent] seems not working + my workaround

41 views
Skip to first unread message

Andy Ng

unread,
Nov 19, 2018, 3:51:21 AM11/19/18
to CAS Community
Hi all,

I have been testing [SAML] + [Attribute Consent] behavior, and I found that it works on CAS 5.2.x but not working on CAS 5.3.x by default.

CAS 5.2.x Behavior:
1. Initialized Login with SAML
2. Login
3. Show attribute consent page
4. Click confirm (With consent set to Attribute Name and save for 30 seconds)
5. Continue with SAML flow
6. Login Success

CAS 5.3.x Behavior:
1. Initialized Login with SAML
2. Login
3. Show attribute consent page
4. Click confirm (With consent set to Attribute Name and save for 30 seconds)
5. Failed to continue SAML flow, it will instead go to the service with a ticket param (e.g. if service is https://www.example.com/saml, it have returned https://www.example.com/saml?ticket=ST-ASDASDASD)
6. Reinitilzed login with SAML / Refresh the page
7. Login Success

A workaround I found that will make CAS 5.3.x also worked:
I currently need to do the following to make it worked.
- There is a post form in the casConsentView.html, normally, pressing submit button will submit the form.
- Instead of form submit, I change it to async post using javascript
- Then, I follow up with a page refresh, so now it is like reinitialized the SAML flow
- Hence redirect to after consent will be executed


My CAS is fill with other legacy customization so I reckon it might be my only problem, but if anybody else also faced this problem and / or know how to fix this,
then it would be wonderful, thanks!

Cheers!
- Andy

Bergner, Arnold

unread,
Nov 19, 2018, 5:46:01 AM11/19/18
to cas-...@apereo.org

Hi Andy,

 

I found the same problem migrating from 5.2 to 5.3. For me, the redirect after consent was to {cas.url}/{SAML-Service-ID}. I haven’t looked into it yet, but there might be some confusion evaluating the correct callback endpoint. Notice that after consent, the request will go to the internal callback service, including a cas ticket. Consent has the problem of handling consent for the SAML-service, which is a different attribute than the service redirected to. These should be two different flow attributes.

 

Regards,

Arnold

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/801c6665-52dc-4814-a14b-bea5cb005773%40apereo.org.

Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages